Also reject absolute paths in bundle decompression

icsharpcode · Dec 18, 2022 · 448fe30 · 448fe30
1 parent a8308a1
commit 448fe30
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs b/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs
@@ -342,7 +342,7 @@ int DumpPackageAssemblies(string packageFileName, string outputDirectory, Comman
 					{
 						Stream contents;
 
-						if (entry.RelativePath.Replace('\\', '/').Contains("../", StringComparison.Ordinal))
+						if (entry.RelativePath.Replace('\\', '/').Contains("../", StringComparison.Ordinal) || Path.IsPathRooted(entry.RelativePath))
 						{
 							app.Error.WriteLine($"Skipping single-file entry '{entry.RelativePath}' because it might refer to a location outside of the bundle output directory.");
 							continue;