Merge pull request #1260 from TranceLove/bugfix/fix-b0rkenzip-321

Fix possibility of archive entry extracted outside specified destination for 3.2.1
TeamAmaze · Jun 10, 2018 · 7090554 · 7090554
2 parents 984ccac + 9888ae7
commit 7090554
Show file tree

Hide file tree

Showing 3 changed files with 46 additions and 12 deletions.
diff --git a/app/src/main/java/com/amaze/filemanager/services/ExtractService.java b/app/src/main/java/com/amaze/filemanager/services/ExtractService.java
@@ -231,14 +231,18 @@ private void createDir(File dir) {
         private void unzipEntry(ZipFile zipFile, ZipEntry entry, String outputDir)
                 throws Exception {
 
+            final File outputFile = new File(outputDir, fixEntryName(entry.getName()));
+
+            if (!outputFile.getCanonicalPath().startsWith(outputDir)){
+                throw new IOException("Incorrect ZipEntry path!");
+            }
+
             if (entry.isDirectory()) {
                 // zip entry is a directory, return after creating new directory
-                createDir(new File(outputDir, entry.getName()));
+                createDir(outputFile);
                 return;
             }
 
-            final File outputFile = new File(outputDir, entry.getName());
-
             if (!outputFile.getParentFile().exists()) {
                 // creating directory if not already exists
 
@@ -265,13 +269,19 @@ private void unzipEntry(ZipFile zipFile, ZipEntry entry, String outputDir)
 
         private void unzipRAREntry(Archive zipFile, FileHeader entry, String outputDir)
                 throws Exception {
-            String name = entry.getFileNameString();
+            String name = fixEntryName(entry.getFileNameString());
             name = name.replaceAll("\\\\", "/");
+            File outputFile = new File(outputDir, name);
+
+            if (!outputFile.getCanonicalPath().startsWith(outputDir)){
+                throw new IOException("Incorrect RAR FileHeader path!");
+            }
+
             if (entry.isDirectory()) {
-                createDir(new File(outputDir, name));
+                createDir(outputFile);
                 return;
             }
-            File outputFile = new File(outputDir, name);
+
             if (!outputFile.getParentFile().exists()) {
                 createDir(outputFile.getParentFile());
             }
@@ -299,12 +309,18 @@ private void unzipRAREntry(Archive zipFile, FileHeader entry, String outputDir)
 
         private void unzipTAREntry(TarArchiveInputStream zipFileStream, TarArchiveEntry entry,
                                    String outputDir) throws Exception {
-            String name = entry.getName();
+            String name = fixEntryName(entry.getName());
+            File outputFile = new File(outputDir, name);
+
+            if (!outputFile.getCanonicalPath().startsWith(outputDir)){
+                throw new IOException("Incorrect TarArchiveEntry path!");
+            }
+
             if (entry.isDirectory()) {
-                createDir(new File(outputDir, name));
+                createDir(outputFile);
                 return;
             }
-            File outputFile = new File(outputDir, name);
+
             if (!outputFile.getParentFile().exists()) {
                 createDir(outputFile.getParentFile());
             }
@@ -707,5 +723,12 @@ private synchronized void putDataPackage(DataPackage dataPackage) {
         this.dataPackages.add(dataPackage);
     }
 
+    protected String fixEntryName(String entryName){
+        if(entryName.indexOf('\\') > 0) {
+            return entryName.replace('\\', '/');
+        } else {
+            return entryName;
+        }
+    }
 }
 
diff --git a/app/src/main/java/com/amaze/filemanager/services/asynctasks/RarHelperTask.java b/app/src/main/java/com/amaze/filemanager/services/asynctasks/RarHelperTask.java
@@ -11,6 +11,7 @@
 import com.github.junrar.rarfile.FileHeader;
 
 import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
@@ -60,13 +61,19 @@ protected ArrayList<FileHeader> doInBackground(File... params) {
                     String name = header.getFileNameString();
 
                     if (!name.contains("\\")) {
-                        elements.add(header);
+                        if(name.startsWith("..\\") || name.startsWith("../") || name.equals("..")) {
+                            continue;
+                        }
 
+                        elements.add(header);
                     }
                 }
             } else {
                 for (FileHeader header : zipViewer.wholelistRar) {
                     String name = header.getFileNameString();
+                    if(name.startsWith("..\\") || name.startsWith("../") || name.equals("..")) {
+                        continue;
+                    }
                     if (name.substring(0, name.lastIndexOf("\\")).equals(dir)) {
                         elements.add(header);
                     }

diff --git a/app/src/main/java/com/amaze/filemanager/services/asynctasks/ZipHelperTask.java b/app/src/main/java/com/amaze/filemanager/services/asynctasks/ZipHelperTask.java
@@ -7,6 +7,7 @@
 import com.amaze.filemanager.ui.ZipObj;
 
 import java.io.File;
+import java.io.IOException;
 import java.util.ArrayList;
 import java.util.Collections;
 import java.util.Comparator;
@@ -67,9 +68,12 @@ protected ArrayList<ZipObj> doInBackground(String... params) {
 
             for (ZipObj entry : zipViewer.wholelist) {
 
-                String s = entry.getName();
-                //  System.out.println(s);
                 File file = new File(entry.getName());
+
+                if(entry.getName().startsWith("../") || entry.getName().startsWith("..\\") || entry.getName().equals("..")) {
+                    continue;
+                }
+
                 if (dir == null || dir.trim().length() == 0) {
                     String y = entry.getName();
                     if (y.startsWith("/"))