fix: ZipArchive::extract incomplete

Path sanitization needs to be implemented before we can make this public
2020-08-19 14:02:35 +01:00 · 2020-08-19 14:02:35 +01:00 · 0b46263eac
commit 0b46263eac
parent 4eba55cb7a
2 changed files with 12 additions and 7 deletions
--- a/src/read.rs
+++ b/src/read.rs
@ -322,10 +322,14 @@ impl<R: Read + io::Seek> ZipArchive<R> {
    /// # Platform-specific behaviour
    ///
    /// On unix systems permissions from the zip file are preserved, if they exist.
-    pub fn extract<P: AsRef<Path>>(&mut self, directory: P) -> ZipResult<()> {
+    // FIXME: Implement path sanitization to allow this to be public API.
+    //        This probably means failing on paths that would escape the directory
+    #[allow(dead_code)]
+    fn extract<P: AsRef<Path>>(&mut self, directory: P) -> ZipResult<()> {
        for i in 0..self.len() {
            let mut file = self.by_index(i)?;
-            let filepath = file.sanitized_name();
+            let filepath: std::path::PathBuf =
+                (|| unimplemented!("the sanitized path of {}", file.name()))();

            let outpath = directory.as_ref().join(filepath);

@ -936,6 +940,7 @@ mod test {

        for i in 0..zip.len() {
            let zip_file = zip.by_index(i).unwrap();
+            #[allow(deprecated)]
            let full_name = zip_file.sanitized_name();
            let file_name = full_name.file_name().unwrap().to_str().unwrap();
            assert!(
--- a/tests/extract.rs
+++ b/tests/extract.rs
@ -2,20 +2,20 @@ extern crate zip;

 use std::fs;
 use std::io;
-use std::path::PathBuf;

 use zip::ZipArchive;

 // This tests extracting the contents of a zip file
 #[test]
+#[ignore]
 fn extract() {
    let mut v = Vec::new();
    v.extend_from_slice(include_bytes!("../tests/data/files_and_dirs.zip"));
-    let mut archive = ZipArchive::new(io::Cursor::new(v)).expect("couldn't open test zip file");
+    let mut _archive = ZipArchive::new(io::Cursor::new(v)).expect("couldn't open test zip file");

-    archive
-        .extract(&PathBuf::from("test_directory"))
-        .expect("extract failed");
+    // archive
+    //     .extract("test_directory")
+    //     .expect("extract failed");

    // Cleanup
    fs::remove_dir_all("test_directory").expect("failed to remove extracted files");