-
Notifications
You must be signed in to change notification settings - Fork 165
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
zip_slip #1210
Comments
Thanks. Method is part of |
Verify that zip file entries don't try to escape the parent dir + test
@jeenbroekstra, @barthanssens would it make sense to backport this fix to a 2.4.3 release, especially since it is rather small? The security group of our company has notified us about this one, and we need to do an assessment. As we are approaching dev-complete state for the current release of our application, we could potentially only do smaller updates - if at all (and particularly cannot wait for a 2.5 release, which may also bring new features). |
Well, it sure is a small effort to backport it. |
Backport fix for zip traversal from develop
Hi all,
There is a path traversal vulnerability found by Qihoo360 CodeSafe Team.
Details as bellow:
When decompressing zip files, entries are not checked, resulting in overwriting arbitrary files by traversing directories using “.. /”
The text was updated successfully, but these errors were encountered: