C l Java am in ooooo. On Tue, May 12, 2026, 7:53 PM jmestwa-coder (via GitHub) <[email protected]> wrote:
> > jmestwa-coder opened a new pull request, #1066: > URL: https://github.com/apache/poi/pull/1066 > > ## Summary > > Reject attachment filenames that would escape the selected extraction > directory during HMEF/TNEF attachment extraction. > > Previously, attachment filenames from TNEF metadata were written > directly using: > > ```java > new File(dir, filename) > ``` > > This allowed traversal-style filenames such as `../escaped.txt` to > resolve outside the intended extraction directory. > > ## Changes > > * normalize and validate resolved attachment output paths before > writing files > * reject attachment filenames that resolve outside the chosen > extraction directory > * add regression coverage for traversal-style attachment names > > ## Test > > Added a regression test that: > > * creates an in-memory malicious TNEF attachment using a traversal > filename > * verifies extraction throws `IOException` > * verifies no file is created outside the extraction directory > > > > -- > This is an automated message from the Apache Git Service. > To respond to the message, please log on to GitHub and use the > URL above to go to the specific comment. > > To unsubscribe, e-mail: [email protected] > > For queries about this service, please contact Infrastructure at: > [email protected] > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
