Frank Denis 242102f9d1 std/zip.zig: perform backslash-to-forward-slash before isBadFilename() ...

Previously, when extracting a ZIP file, isBadFilename(), which is
designed to reject ../ patterns to prevent directory traversal, was
called before normalizing backslashes to forward slashes.

This allowed path traversal sequences like ..\\..\\..\\etc\\passwd
which pass validation but are then converted to ../../../etc/passwd
for file extraction.

2025-08-07 14:42:48 -07:00

26 KiB

Raw Blame History

View Raw