1. 18 Aug, 2020 2 commits
  2. 17 Aug, 2020 1 commit
  3. 15 Aug, 2020 1 commit
  4. 14 Aug, 2020 1 commit
  5. 08 Aug, 2020 2 commits
  6. 05 Aug, 2020 3 commits
  7. 31 Jul, 2020 4 commits
  8. 29 Jul, 2020 2 commits
    • Elvis Angelaccio's avatar
      Merge branch 'release/20.08' · 9393b0d8
      Elvis Angelaccio authored
      9393b0d8
    • Elvis Angelaccio's avatar
      Fix vulnerability to path traversal attacks · 0df59252
      Elvis Angelaccio authored
      Ark was vulnerable to directory traversal attacks because of
      missing validation of file paths in the archive.
      
      More details about this attack are available at:
      https://github.com/snyk/zip-slip-vulnerability
      
      Job::onEntry() is the only place where we can safely check the path of
      every entry in the archive. There shouldn't be a valid reason
      to have a "../" in an archive path, so we can just play safe and abort
      the LoadJob if we detect such an entry. This makes impossibile to
      extract this kind of malicious archives and perform the attack.
      
      Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
      so that we can still allow loading of legitimate archives that
      contain "../" in their paths but still resolve inside the extraction folder.
      0df59252
  9. 22 Jul, 2020 2 commits
  10. 17 Jul, 2020 3 commits
  11. 11 Jul, 2020 3 commits
  12. 10 Jul, 2020 2 commits
  13. 03 Jul, 2020 3 commits
  14. 18 Jun, 2020 4 commits
  15. 17 Jun, 2020 4 commits
  16. 14 Jun, 2020 1 commit
  17. 13 Jun, 2020 1 commit
  18. 08 Jun, 2020 1 commit