1. 31 Jul, 2020 2 commits
  2. 29 Jul, 2020 2 commits
    • Elvis Angelaccio's avatar
      Merge branch 'release/20.08' · 9393b0d8
      Elvis Angelaccio authored
      9393b0d8
    • Elvis Angelaccio's avatar
      Fix vulnerability to path traversal attacks · 0df59252
      Elvis Angelaccio authored
      Ark was vulnerable to directory traversal attacks because of
      missing validation of file paths in the archive.
      
      More details about this attack are available at:
      https://github.com/snyk/zip-slip-vulnerability
      
      Job::onEntry() is the only place where we can safely check the path of
      every entry in the archive. There shouldn't be a valid reason
      to have a "../" in an archive path, so we can just play safe and abort
      the LoadJob if we detect such an entry. This makes impossibile to
      extract this kind of malicious archives and perform the attack.
      
      Thanks to Albert Astals Cid for suggesting to use QDir::cleanPath()
      so that we can still allow loading of legitimate archives that
      contain "../" in their paths but still resolve inside the extraction folder.
      0df59252
  3. 22 Jul, 2020 2 commits
  4. 17 Jul, 2020 3 commits
  5. 11 Jul, 2020 3 commits
  6. 10 Jul, 2020 2 commits
  7. 03 Jul, 2020 3 commits
  8. 18 Jun, 2020 4 commits
  9. 17 Jun, 2020 4 commits
  10. 14 Jun, 2020 1 commit
  11. 13 Jun, 2020 1 commit
  12. 08 Jun, 2020 3 commits
  13. 02 Jun, 2020 2 commits
  14. 21 May, 2020 1 commit
  15. 17 May, 2020 1 commit
  16. 11 May, 2020 4 commits
  17. 04 May, 2020 1 commit
    • Ragnar Thomsen's avatar
      libarchive: Improve error-handling when loading archive · b47c5346
      Ragnar Thomsen authored
      Improves error-handling in LibarchivePlugin::list().
      
      Previously we only checked whether we could read until the end of the
      archive, and even if we couldn't there was no error shown to the user.
      Now we check the return value of both archive_read_next_header() and
      archive_read_data_skip(), and show a corrupt archive query if either
      was not successful.
      
      This partially solves bug 411074, as Ark now at least gives a warning
      when opening a corrupt archive with libarchiveplugin. We still need to
      improve error-handling when extracting, but this requires some
      refactoring first so will be done later.
      CCBUG: 411074
      Differential Revision: D29383
      b47c5346
  18. 27 Apr, 2020 1 commit