tomasilluminati commented on PR #776:
URL: https://github.com/apache/commons-compress/pull/776#issuecomment-4862010997

   @Marcono1234 thanks, both were right, addressed both.
   
   ALLOW_WITHIN_ROOT: you're right that it can't be a hard guarantee, so I 
rewrote the constant's Javadoc to say plainly it is best-effort and lexical (it 
does not stop a link reached through another link, or an in-root chain that 
escapes only once the OS resolves it), with REJECT (default) and SKIP called 
out as the safe modes for untrusted input, plus a new "Safe Extraction" section 
in the user guide. Your indirect-symlink PoC is now a test: blocked under 
REJECT and SKIP, and under ALLOW_WITHIN_ROOT/ALLOW_ALL the links are created 
but nothing is written outside the root during extraction.
   
   resolveWithinRoot: it now returns null when the entry resolves to the root 
itself and the caller skips it, so a benign . or a/.. no longer fails and 
nothing ever targets or replaces the root. I kept it a nullable Path rather 
than Optional to match the codebase, escapes still throw, and I folded the four 
containment checks into one isWithinRoot helper with a sibling-prefix test.
   
   Pushed. Thanks for the careful review.


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to