Shikong/Clash.Meta
1
0
Fork 0
mirror of https://gitclone.com/github.com/MetaCubeX/Clash.Meta synced 2025-05-24 02:48:02 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: stricter path checking when unpacking zip/tgz

Browse Source
This commit is contained in:
wwqgtxx 2025-05-20 00:00:07 +08:00
parent ed42c4feb8
commit a93479124c
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
component/updater/update_ui.go
View File

@ -221,7 +221,7 @@ func unzip(src, dest string) (string, error) {
fpath = filepath.Join(extractedFolder, f.Name) fpath = filepath.Join(extractedFolder, f.Name)
} }
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) { if !inDest(fpath, dest) {
return "", fmt.Errorf("invalid file path: %s", fpath) return "", fmt.Errorf("invalid file path: %s", fpath)
} }
info := f.FileInfo() info := f.FileInfo()
@ -344,7 +344,7 @@ func untgz(src, dest string) (string, error) {
fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name)) fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
} }
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) { if !inDest(fpath, dest) {
return "", fmt.Errorf("invalid file path: %s", fpath) return "", fmt.Errorf("invalid file path: %s", fpath)
} }
@ -421,3 +421,12 @@ func cleanup(root string) error {
return nil return nil
}) })
} }
func inDest(fpath, dest string) bool {
if rel, err := filepath.Rel(dest, fpath); err == nil {
if filepath.IsLocal(rel) {
return true
}
}
return false
}