o Updated to guard against directory traversal issues.

ChristianSchulte · ChristianSchulte · commit 33a2853df818 · 2016-05-08T00:17:51.000+02:00
Fixes #4
diff --git a/src/main/java/org/codehaus/plexus/util/Expand.java b/src/main/java/org/codehaus/plexus/util/Expand.java
@@ -136,6 +136,12 @@ protected void extractFile( File srcF, File dir, InputStream compressedInputStre
         throws Exception
     {
         File f = FileUtils.resolveFile( dir, entryName );
+
+        if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
+        {
+            throw new IOException( "Entry '" + entryName + "' outside the target directory." );
+        }
+
         try
         {
             if ( !overwrite && f.exists() && f.lastModified() >= entryDate.getTime() )

Original file line number	Diff line number	Diff line change
`@@ -136,6 +136,12 @@ protected void extractFile( File srcF, File dir, InputStream compressedInputStre`
`136`	`136`	`throws Exception`
`137`	`137`	`{`
`138`	`138`	`File f = FileUtils.resolveFile( dir, entryName );`
	`139`	`+`
	`140`	`+ if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )`
	`141`	`+ {`
	`142`	`+ throw new IOException( "Entry '" + entryName + "' outside the target directory." );`
	`143`	`+ }`
	`144`	`+`
`139`	`145`	`try`
`140`	`146`	`{`
`141`	`147`	`if ( !overwrite && f.exists() && f.lastModified() >= entryDate.getTime() )`