DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

Only allow path::Component::Normal when extracting

Browse source 
Previously, Component::Root and Component::Prefix where still allowed.
This meant some files could be extracted to a location outside the current directory.
Only safe components are Normal and Curdir, but since Curdir does not do anything we filter it aswell.

Resolves #27
This commit is contained in:
Mathijs van de Nes 2017-02-12 17:05:21 +01:00
parent 089f7a89e7
commit 88445219ec
1 changed files with 4 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
examples/extract.rs
View file

@ -89,7 +89,10 @@ fn sanitize_filename(filename: &str) -> std::path::PathBuf
std::path::Path::new(no_null_filename) std::path::Path::new(no_null_filename)
.components() .components()
.filter(|component| *component != std::path::Component::ParentDir) .filter(|component| match *component {
std::path::Component::Normal(..) => true,
_ => false
})
.fold(std::path::PathBuf::new(), |mut path, ref cur| { .fold(std::path::PathBuf::new(), |mut path, ref cur| {
path.push(cur.as_os_str()); path.push(cur.as_os_str());
path path