jmestwa-coder opened a new pull request, #1066: URL: https://github.com/apache/poi/pull/1066
## Summary Reject attachment filenames that would escape the selected extraction directory during HMEF/TNEF attachment extraction. Previously, attachment filenames from TNEF metadata were written directly using: ```java new File(dir, filename) ``` This allowed traversal-style filenames such as `../escaped.txt` to resolve outside the intended extraction directory. ## Changes * normalize and validate resolved attachment output paths before writing files * reject attachment filenames that resolve outside the chosen extraction directory * add regression coverage for traversal-style attachment names ## Test Added a regression test that: * creates an in-memory malicious TNEF attachment using a traversal filename * verifies extraction throws `IOException` * verifies no file is created outside the extraction directory -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
