[
https://issues.apache.org/jira/browse/COMPRESS-495?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16946774#comment-16946774
]
Stefan Bodewig commented on COMPRESS-495:
-----------------------------------------
Thanks Gabor, you are certainly correct. We somehow forgot about that class
when we dealt with the initial Zip Slip report.
Fortunately this class is very unlikely to be used by anybody, but we should -
and will - certainly fix it.
> Zip Slip in SevenZ CLI
> ----------------------
>
> Key: COMPRESS-495
> URL: https://issues.apache.org/jira/browse/COMPRESS-495
> Project: Commons Compress
> Issue Type: Bug
> Components: Archivers
> Reporter: Gabor Molnar
> Priority: Major
>
> The SevenZ decompressor doesn't check that the file to be extracted is
> escaping the current directory or not.
> Vulnerable code:
> [https://github.com/apache/commons-compress/blob/26b78cecfc1ca0e5daf03109b2c441f960bde678/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java#L67]
> In another place in the repository, there is a safe implementation that was
> added as an example when the Zip Slip vulnerability was originally published:
> https://github.com/apache/commons-compress/blob/1a14a23a05f7104e3d41a25a0f7e78ae1556285e/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java#L308
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
