diff --git a/teamengine-core/src/main/java/com/occamlab/te/parsers/ZipParser.java b/teamengine-core/src/main/java/com/occamlab/te/parsers/ZipParser.java index 39c686cc..adb1bb0a 100644 --- a/teamengine-core/src/main/java/com/occamlab/te/parsers/ZipParser.java +++ b/teamengine-core/src/main/java/com/occamlab/te/parsers/ZipParser.java @@ -11,13 +11,7 @@ */ package com.occamlab.te.parsers; -import java.io.File; -import java.io.FileInputStream; -import java.io.FileOutputStream; -import java.io.OutputStream; -import java.io.PrintWriter; -import java.io.InputStream; - +import java.io.*; import java.net.URLConnection; import java.util.logging.Level; @@ -149,8 +143,11 @@ private static Document parse(InputStream is, Element instruction, subdir = filename.substring(0, filename.lastIndexOf("/")); else if (filename.lastIndexOf("\\") != -1) subdir = filename.substring(0, filename.lastIndexOf("\\")); - new File(path + "/" + subdir).mkdirs(); + new File(path, subdir).mkdirs(); File outFile = new File(path, filename); + if (!outFile.toPath().normalize().startsWith(path)) { + throw new IOException("Bad zip entry"); + } if (outFile.isDirectory()) continue; OutputStream out = new FileOutputStream(outFile); @@ -246,8 +243,11 @@ private Document saveZipFile(String filepath, Document instruction) subdir = filename.substring(0, filename.lastIndexOf("/")); else if (filename.lastIndexOf("\\") != -1) subdir = filename.substring(0, filename.lastIndexOf("\\")); - new File(path + "/" + subdir).mkdirs(); + new File(path, subdir).mkdirs(); File outFile = new File(path, filename); + if (!outFile.toPath().normalize().startsWith(path)) { + throw new IOException("Bad zip entry"); + } if (outFile.isDirectory()) continue; OutputStream out = new FileOutputStream(outFile);