Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

should prevent zip exctraction to parent dir #117

Closed
sebastien-mignot opened this issue Jan 7, 2015 · 4 comments
Closed

should prevent zip exctraction to parent dir #117

sebastien-mignot opened this issue Jan 7, 2015 · 4 comments

Comments

@sebastien-mignot
Copy link

sebastien-mignot commented Jan 7, 2015
edited
Loading

if the files inside the zip archives have a path like "../../../somewhere/et cetera.", adm will extract the file at this location.
This should not be allowed (or at least not by default), as it poses a security risk.
(during an audit, we managed to take control of our preproduction server by uploading such a .zip on the website : instead of exctracting his file on the user files dir, where they were inactive and blocked, he injected a .php script in the apache directory)
@ArnCo
Copy link

ArnCo commented Feb 6, 2015

I confirm this this behavior. Please let me know when a patch is available.

@jonlinper
Copy link

Any solution for this security issue?

@ArnCo
Copy link

ArnCo commented Aug 22, 2016

Let's face it guys, just use another lib, this one is not maintained anymore.

@ecneladis ecneladis mentioned this issue Feb 11, 2017
Closed
@5saviahv
Copy link
Collaborator

5saviahv commented Mar 9, 2021

It should be fixed for now

@5saviahv 5saviahv closed this as completed Mar 9, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@sebastien-mignot @jonlinper @ArnCo @5saviahv