fenix/Simple-File-Manager
1
0
Fork 0
mirror of https://github.com/SimpleMobileTools/Simple-File-Manager.git synced 2024-12-28 01:32:55 +01:00
Code Issues Packages Projects Releases Wiki Activity

add zip path traversal vulnerability check for zip decompression

Browse Source
This commit is contained in:
fatih ergin 2023-08-15 00:54:29 +03:00
parent 4caf77bc9b
commit a380eb9c3c
2 changed files with 7 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
app/build.gradle
View File

@ -78,7 +78,7 @@ android {
}
dependencies {
implementation 'com.github.fatihergin:Simple-Commons:fe7a01274a' // TODO: do not replace it with SimpleMobileTools
implementation 'com.github.SimpleMobileTools:Simple-Commons:d1629c7f1a'
implementation 'com.github.tibbi:AndroidPdfViewer:e6a533125b'
implementation 'com.github.Stericson:RootTools:df729dcb13'
implementation 'com.github.Stericson:RootShell:1.6'

6
app/src/main/kotlin/com/simplemobiletools/filemanager/pro/activities/DecompressActivity.kt
View File

@ -19,6 +19,7 @@ import net.lingala.zip4j.exception.ZipException.Type
import net.lingala.zip4j.io.inputstream.ZipInputStream
import net.lingala.zip4j.model.LocalFileHeader
import java.io.BufferedInputStream
import java.io.File
class DecompressActivity : SimpleActivity() {
companion object {
@ -145,6 +146,11 @@ class DecompressActivity : SimpleActivity() {
continue
}
val isVulnerableForZipPathTraversal = !File(newPath).canonicalPath.startsWith(parent)
if (isVulnerableForZipPathTraversal) {
continue
}
val fos = getFileOutputStreamSync(newPath, newPath.getMimeType())
var count: Int
while (true) {