[JENKINS-32778] - Prevent extracting archived plugins outside of targ…

…et path (#3402)
jenkinsci · May 5, 2018 · 8ede533 · 8ede533
1 parent 4278461
commit 8ede533
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/core/src/main/java/hudson/FilePath.java b/core/src/main/java/hudson/FilePath.java
@@ -598,6 +598,10 @@ private void unzip(File dir, File zipFile) throws IOException {
             while (entries.hasMoreElements()) {
                 ZipEntry e = entries.nextElement();
                 File f = new File(dir, e.getName());
+                if (!f.toPath().normalize().startsWith(dir.toPath())) {
+                    throw new IOException(
+                        "Zip " + zipFile.getPath() + " contains illegal file name that breaks out of the target directory: " + e.getName());
+                }
                 if (e.isDirectory()) {
                     mkdirs(f);
                 } else {