kali834x opened a new pull request, #1124:
URL: https://github.com/apache/poi/pull/1124
Normalizes backslash separators ('\') to forward slashes ('/') in
ZipSecureFile and ZipInputStreamZipEntrySource during duplicate entry
validation.
When validating ZIP archives against duplicate entry names (introduced for
CVE-2025-31672), entry names were matched without normalizing path separators.
Because some Windows zip utilities output backslashes (`\`) instead of forward
slashes (`/`), an attacker could craft an archive containing both
`xl/workbook.xml` and `xl\workbook.xml`. This would bypass the duplicate check
but could lead to path lookup shadowing during file parsing.
Normalizes path separators in `ZipSecureFile.validateEntryNames()`.
Normalizes path separators in the `ZipInputStreamZipEntrySource`
constructor map index.
Added `testValidateMixedSeparatorDuplicateEntryNames()` in
`TestZipSecureFile` to verify correct detection and rejection of
mixed-separator duplicates.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
