Previously, when extracting a ZIP file, isBadFilename(), which is designed to reject ../ patterns to prevent directory traversal, was called before normalizing backslashes to forward slashes. This allowed path traversal sequences like ..\\..\\..\\etc\\passwd which pass validation but are then converted to ../../../etc/passwd for file extraction.
26 KiB
26 KiB