Zip-slip vulnerability #63
Comments
|
@awused, are you willing to look at this vulnerability? It'd be nice to fix it before the next release. |
|
I don't use the vulnerable methods and I'm not looking to become a maintainer of this project. You could look into getting a CVE number for this, it is pretty serious, and it shouldn't just be a "nice to fix." |
otavio
added a commit
that referenced
this issue
Jul 31, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <[email protected]>
otavio
added a commit
that referenced
this issue
Jul 31, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <[email protected]>
otavio
added a commit
that referenced
this issue
Aug 2, 2021
It uses relative destination paths to unpack files in unexpected places. More details can be found at: http://snyk.io/research/zip-slip-vulnerability Fixes: #63 Signed-off-by: Otavio Salvador <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
uncompress_archiveis vulnerable to zip-slip.This can be verified with the test files in https://github.com/snyk/zip-slip-vulnerability/tree/master/archives. Using zip-slip.zip I was able to extract
good.txtto my chosen directory butevil.txtwas extracted to/tmp/.This is usually worthy of security advisory.
The text was updated successfully, but these errors were encountered: