Merge pull request #1546 from LennyMcLennington/fix/dont-unzip-invalid-filenames
fix(MMCZip): ignore invalid file paths in extractSubDir
This commit is contained in:
commit
4398cb5dc5
@ -292,10 +292,15 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su
|
||||
do
|
||||
{
|
||||
QString name = zip->getCurrentFileName();
|
||||
if(!name.startsWith(subdir))
|
||||
if(!QDir::cleanPath(name).startsWith(subdir))
|
||||
{
|
||||
continue;
|
||||
}
|
||||
if (QDir::isAbsolutePath(name) || QDir::cleanPath(name).startsWith(".."))
|
||||
{
|
||||
qDebug() << "extractSubDir: Skipping file that tries to place itself in an absolute location or in a parent directory.";
|
||||
continue;
|
||||
}
|
||||
|
||||
name.remove(0, subdir.size());
|
||||
auto original_name = name;
|
||||
|
Loading…
Reference in New Issue
Block a user