Shikong/Clash.Meta
1
0
Fork 0
mirror of https://gitclone.com/github.com/MetaCubeX/Clash.Meta synced 2025-05-23 18:38:09 +08:00
Code Issues Packages Projects Releases Wiki Activity

chore: stricter path checking when unpacking zip/tgz

Browse Source
This commit is contained in:
wwqgtxx 2025-05-20 00:00:07 +08:00
parent ed42c4feb8
commit a93479124c
1 changed files with 11 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
component/updater/update_ui.go
View File

@ -221,7 +221,7 @@ func unzip(src, dest string) (string, error) {
fpath = filepath.Join(extractedFolder, f.Name)
}
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
if !inDest(fpath, dest) {
return "", fmt.Errorf("invalid file path: %s", fpath)
}
info := f.FileInfo()
@ -344,7 +344,7 @@ func untgz(src, dest string) (string, error) {
fpath = filepath.Join(extractedFolder, cleanTarPath(header.Name))
}
if !strings.HasPrefix(fpath, filepath.Clean(dest)+string(os.PathSeparator)) {
if !inDest(fpath, dest) {
return "", fmt.Errorf("invalid file path: %s", fpath)
}
@ -421,3 +421,12 @@ func cleanup(root string) error {
return nil
})
}
func inDest(fpath, dest string) bool {
if rel, err := filepath.Rel(dest, fpath); err == nil {
if filepath.IsLocal(rel) {
return true
}
}
return false
}