DevComp/zip-rs-wasm
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

refactor: reintroduce path sanitization strategy

Browse source 
I've documented the drawbacks of this strategy to make sure users are
aware of the tradeoff being made.
This commit is contained in:
Marli Frost 2020-09-12 10:32:10 +01:00
parent 9884c68315
commit fb5105725f
No known key found for this signature in database
GPG key ID: CB0BEA7CF9BD1245
1 changed files with 27 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
src/read.rs
View file

@ -9,6 +9,7 @@ use crate::zipcrypto::ZipCryptoReaderValid;
use std::borrow::Cow; use std::borrow::Cow;
use std::collections::HashMap; use std::collections::HashMap;
use std::io::{self, prelude::*}; use std::io::{self, prelude::*};
use std::path::Component;
use crate::cp437::FromCp437; use crate::cp437::FromCp437;
use crate::types::{DateTime, System, ZipFileData}; use crate::types::{DateTime, System, ZipFileData};
@ -564,11 +565,21 @@ impl<'a> ZipFile<'a> {
} }
/// Get the name of the file /// Get the name of the file
///
/// # Warnings
///
/// It is dangerous to use this name directly when extracting an archive.
/// It may contain an absolute path (`/etc/shadow`), or break out of the
/// current directory (`../runtime`). Carelessly writing to these paths
/// allows an attacker to craft a ZIP archive that will overwrite critical
/// files.
pub fn name(&self) -> &str { pub fn name(&self) -> &str {
&self.data.file_name &self.data.file_name
} }
/// Get the name of the file, in the raw (internal) byte representation. /// Get the name of the file, in the raw (internal) byte representation.
///
/// The encoding of this data is currently undefined.
pub fn name_raw(&self) -> &[u8] { pub fn name_raw(&self) -> &[u8] {
&self.data.file_name_raw &self.data.file_name_raw
} }
@ -578,9 +589,24 @@ impl<'a> ZipFile<'a> {
#[deprecated( #[deprecated(
since = "0.5.7", since = "0.5.7",
note = "by stripping `..`s from the path, the meaning of paths can change. note = "by stripping `..`s from the path, the meaning of paths can change.
You must use a sanitization strategy that's appropriate for your input" `mangled_name` can be used if this behaviour is desirable"
)] )]
pub fn sanitized_name(&self) -> ::std::path::PathBuf { pub fn sanitized_name(&self) -> ::std::path::PathBuf {
self.mangled_name()
}
/// Rewrite the path, ignoring any path components with special meaning.
///
/// - Absolute paths are made relative
/// - [`ParentDir`]s are ignored
/// - Truncates the filename at a NULL byte
///
/// This is appropriate if you need to be able to extract *something* from
/// any archive, but will easily misrepresent trivial paths like
/// `foo/../bar` as `foo/bar` (instead of `bar`).
///
/// [`ParentDir`]: `Component::ParentDir`
pub fn mangled_name(&self) -> ::std::path::PathBuf {
self.data.file_name_sanitized() self.data.file_name_sanitized()
} }