From 242102f9d113fff321559c8645e79a29f0bdf70d Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Thu, 7 Aug 2025 23:08:14 +0200
Subject: [PATCH] std/zip.zig: perform backslash-to-forward-slash before
 isBadFilename()

Previously, when extracting a ZIP file, isBadFilename(), which is
designed to reject ../ patterns to prevent directory traversal, was
called before normalizing backslashes to forward slashes.

This allowed path traversal sequences like ..\\..\\..\\etc\\passwd
which pass validation but are then converted to ../../../etc/passwd
for file extraction.
---
 lib/std/zip.zig | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/lib/std/zip.zig b/lib/std/zip.zig
index e1e8e04a36..74ccde18f0 100644
--- a/lib/std/zip.zig
+++ b/lib/std/zip.zig
@@ -536,9 +536,6 @@ pub const Iterator = struct {
                     @as(u64, local_header.extra_len);
             };
 
-            if (isBadFilename(filename))
-                return error.ZipBadFilename;
-
             if (options.allow_backslashes) {
                 std.mem.replaceScalar(u8, filename, '\\', '/');
             } else {
@@ -546,6 +543,9 @@ pub const Iterator = struct {
                     return error.ZipFilenameHasBackslash;
             }
 
+            if (isBadFilename(filename))
+                return error.ZipBadFilename;
+
             // All entries that end in '/' are directories
             if (filename[filename.len - 1] == '/') {
                 if (self.uncompressed_size != 0)