motiejus/zig
1
Fork 0
Code Releases Activity

std/zip.zig: perform backslash-to-forward-slash before isBadFilename()

Browse Source 
Previously, when extracting a ZIP file, isBadFilename(), which is
designed to reject ../ patterns to prevent directory traversal, was
called before normalizing backslashes to forward slashes.

This allowed path traversal sequences like ..\\..\\..\\etc\\passwd
which pass validation but are then converted to ../../../etc/passwd
for file extraction.
This commit is contained in:
Frank Denis
2025-08-07 23:08:14 +02:00
committed by Andrew Kelley
parent 6de2310035
commit 242102f9d1
1 changed files with 3 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
lib/std/zip.zig
View File

@@ -536,9 +536,6 @@ pub const Iterator = struct {
@as(u64, local_header.extra_len);
};
if (isBadFilename(filename))
return error.ZipBadFilename;
if (options.allow_backslashes) {
std.mem.replaceScalar(u8, filename, '\\', '/');
} else {
@@ -546,6 +543,9 @@ pub const Iterator = struct {
return error.ZipFilenameHasBackslash;
}
if (isBadFilename(filename))
return error.ZipBadFilename;
// All entries that end in '/' are directories
if (filename[filename.len - 1] == '/') {
if (self.uncompressed_size != 0)