sharpcompress icon indicating copy to clipboard operation
sharpcompress copied to clipboard

Published 20 hours ago verified publisher icon adamhathcock

WriteEntryToDirectory - entry with root path crash

Open omermircor opened this issue 10 months ago • 5 comments

Hi, When I call WriteEntryToDirectory with entry key that is rooted for example '/root/file.txt' and the directory '/root2' as param. the code fails with Entry is trying to create a directory outside of the destination directory. The reason for that is Path.Combine ignore the directory path param. The solution should be move use Path.Join.

omermircor avatar Apr 08 '24 15:04 omermircor

There was to avoid a specific vulnerability to not allow extraction outside the destination directory:

https://github.com/adamhathcock/sharpcompress/pull/374/files

Path.Join does not seem applicable.

adamhathcock avatar Apr 09 '24 07:04 adamhathcock

@adamhathcock Hi, i would've assume that if my destination folder is /root2 and the directory inside the zip is for example /root/file.txt then it will be extracted to /root2/root/file.txt (just like if i extract the zip manually on my pc)

Ilanlido avatar Apr 16 '24 09:04 Ilanlido

again, the linked PR prevents extraction to directories outside of the current one

adamhathcock avatar Apr 16 '24 12:04 adamhathcock

I understand, again, i didn't expect it to extract to outside directories i'm expecting it to extract the full path into my desired destination folder - the problem is that when using Path.Combine("/root","/root2/test.txt") it will return "/root2/test.txt" instead of "/root/root2/test.txt"

Ilanlido avatar Apr 16 '24 12:04 Ilanlido

These are just convenance methods. You don't have to use them. You can write your own to write entries to whatever you like and however you like.

adamhathcock avatar Apr 16 '24 14:04 adamhathcock