-
Notifications
You must be signed in to change notification settings - Fork 27
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Zip-slip vulnerability #63
Comments
@awused, are you willing to look at this vulnerability? It'd be nice to fix it before the next release. |
I don't use the vulnerable methods and I'm not looking to become a maintainer of this project. You could look into getting a CVE number for this, it is pretty serious, and it shouldn't just be a "nice to fix." |
otavio
added a commit
that referenced
this issue
Jul 31, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
otavio
added a commit
that referenced
this issue
Jul 31, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
otavio
added a commit
that referenced
this issue
Aug 2, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <otavio@ossystems.com.br>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
uncompress_archive
is vulnerable to zip-slip.This can be verified with the test files in https://github.com/snyk/zip-slip-vulnerability/tree/master/archives. Using zip-slip.zip I was able to extract
good.txt
to my chosen directory butevil.txt
was extracted to/tmp/
.This is usually worthy of security advisory.
The text was updated successfully, but these errors were encountered: