[jira] [Resolved] (COMPRESS-495) Zip Slip in SevenZ CLI

Stefan Bodewig (Jira) Sat, 12 Oct 2019 03:31:57 -0700


     [ 
https://issues.apache.org/jira/browse/COMPRESS-495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Stefan Bodewig resolved COMPRESS-495.
-------------------------------------
    Resolution: Fixed

I've removed the complete EXTRACT code from the CLI class, it shouldn't be used 
anyway.

 

Thanks again.

> Zip Slip in SevenZ CLI
> ----------------------
>
>                 Key: COMPRESS-495
>                 URL: https://issues.apache.org/jira/browse/COMPRESS-495
>             Project: Commons Compress
>          Issue Type: Bug
>          Components: Archivers
>            Reporter: Gabor Molnar
>            Priority: Major
>              Labels: 7zip
>             Fix For: 1.20
>
>
> The SevenZ decompressor doesn't check that the file to be extracted is 
> escaping the current directory or not.
> Vulnerable code: 
> [https://github.com/apache/commons-compress/blob/26b78cecfc1ca0e5daf03109b2c441f960bde678/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java#L67]
> In another place in the repository, there is a safe implementation that was 
> added as an example when the Zip Slip vulnerability was originally published: 
> https://github.com/apache/commons-compress/blob/1a14a23a05f7104e3d41a25a0f7e78ae1556285e/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java#L308



--
This message was sent by Atlassian Jira
(v8.3.4#803005)

[jira] [Resolved] (COMPRESS-495) Zip Slip in SevenZ CLI

Reply via email to