Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

zip_slip #1210

Closed
QiAnXinCodeSafe opened this issue Dec 18, 2018 · 3 comments
Closed

zip_slip #1210

QiAnXinCodeSafe opened this issue Dec 18, 2018 · 3 comments
Assignees
@barthanssens
Labels
🐞 bug issue is a bug security
Milestone
2.4.3

Comments

@QiAnXinCodeSafe
Copy link

QiAnXinCodeSafe commented Dec 18, 2018
edited
Loading

Hi all,
There is a path traversal vulnerability found by Qihoo360 CodeSafe Team.
Details as bellow:
default

When decompressing zip files, entries are not checked, resulting in overwriting arbitrary files by traversing directories using “.. /”
@barthanssens barthanssens added the 🐞 bug issue is a bug label Dec 18, 2018
@barthanssens
Copy link
Contributor

Thanks.

Method is part of org.eclipse.rdf4j.common.io.ZipUtil class

@barthanssens barthanssens mentioned this issue Dec 18, 2018
Merged
@barthanssens barthanssens self-assigned this Dec 18, 2018
@barthanssens barthanssens added security 📶 enhancement issue is a new feature or improvement and removed 🐞 bug issue is a bug labels Dec 18, 2018
barthanssens added a commit that referenced this issue Dec 19, 2018
@barthanssens
Merge pull request #1211 from Fedict/issues/#1210-zip-travers
b7dae5e 
Verify that zip file entries don't try to escape the parent dir + test
@barthanssens barthanssens added this to the 2.5.0 milestone Dec 19, 2018
@aschwarte10
Copy link
Contributor

@jeenbroekstra, @barthanssens would it make sense to backport this fix to a 2.4.3 release, especially since it is rather small?

The security group of our company has notified us about this one, and we need to do an assessment. As we are approaching dev-complete state for the current release of our application, we could potentially only do smaller updates - if at all (and particularly cannot wait for a 2.5 release, which may also bring new features).

@aschwarte10 aschwarte10 reopened this Jan 8, 2019
@barthanssens
Copy link
Contributor

Well, it sure is a small effort to backport it.
I'll take care of it this evening or tomorrow morning.

@barthanssens barthanssens modified the milestones: 2.5.0, 2.4.3 Jan 8, 2019
@abrokenjester abrokenjester added 🐞 bug issue is a bug and removed 📶 enhancement issue is a new feature or improvement labels Jan 8, 2019
@barthanssens barthanssens mentioned this issue Jan 8, 2019
Merged
barthanssens added a commit that referenced this issue Jan 8, 2019
@barthanssens
Merge pull request #1239 from Fedict/issues/#1210-zip-travers-243
dea1cd7 
Backport fix for zip traversal from develop
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@barthanssens barthanssens

Labels
🐞 bug issue is a bug security
Projects
None yet
Milestone
2.4.3
Development

No branches or pull requests
4 participants
@abrokenjester @barthanssens @aschwarte10 @QiAnXinCodeSafe