Commit 71473ab3 authored by Albert Astals Cid's avatar Albert Astals Cid
Browse files

Relax protection against ../ on the file path

It should only be problematic if ../ is first on the path or if there's
a full /../ on the path. Having a ../ not at the beginning just means
that there's a folder that ends in ".." Weird but not wrong

BUGS: 450134
parent 8e1c5753
Pipeline #166211 skipped
......@@ -161,7 +161,8 @@ void Job::onError(const QString & message, const QString & details, int errorCod
void Job::onEntry(Archive::Entry *entry)
const QString entryFullPath = entry->fullPath();
if (QDir::cleanPath(entryFullPath).contains(QLatin1String("../"))) {
const QString cleanEntryFullPath = QDir::cleanPath(entryFullPath);
if (cleanEntryFullPath.startsWith(QLatin1String("../")) || cleanEntryFullPath.contains(QLatin1String("/../"))) {
qCWarning(ARK) << "Possibly malicious archive. Detected entry that could lead to a directory traversal attack:" << entryFullPath;
onError(i18n("Could not load the archive because it contains ill-formed entries and might be a malicious archive."), QString(), Kerfuffle::PossiblyMaliciousArchiveError);
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment