From 448fe3065e3b6387f80d18d384b5452137116e92 Mon Sep 17 00:00:00 2001 From: Daniel Grunwald Date: Tue, 6 Dec 2022 20:13:43 +0100 Subject: [PATCH] Also reject absolute paths in bundle decompression --- ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs b/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs index 39df213262..1e46531cfc 100644 --- a/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs +++ b/ICSharpCode.ILSpyCmd/IlspyCmdProgram.cs @@ -342,7 +342,7 @@ int DumpPackageAssemblies(string packageFileName, string outputDirectory, Comman { Stream contents; - if (entry.RelativePath.Replace('\\', '/').Contains("../", StringComparison.Ordinal)) + if (entry.RelativePath.Replace('\\', '/').Contains("../", StringComparison.Ordinal) || Path.IsPathRooted(entry.RelativePath)) { app.Error.WriteLine($"Skipping single-file entry '{entry.RelativePath}' because it might refer to a location outside of the bundle output directory."); continue;