Problem extracting zip file: illegal file name that breaks out of the target directory: /

[Gr33nbl00d]

Hi i have problem extracting a zip file which was generated by maven assembly plugin.

zip4j/src/main/java/net/lingala/zip4j/tasks/AbstractExtractFileTask.java

Line 53 in ed9eed5

if (!outputFile.getCanonicalPath().startsWith(outputCanonicalPath)) {

I debuged into that place and found out that the outputfile does not have a trailing slash but the outputCannonical path variable has.
Thats what i see in the IDE

outputFile = {File@1809} "D:\Users\XXXXXXX\AppData\Local\Temp\dependentrules14443115985707206885"
outputCanonicalPath = "D:\Users\XXXXXXX\AppData\Local\Temp\dependentrules14443115985707206885\"

The zip file header looks like this:

versionMadeBy = 788
fileCommentLength = 0
diskNumberStart = 0
internalFileAttributes = {byte[2]@1817} [0, 0]
externalFileAttributes = {byte[4]@1818} [16, 0, -19, 65]
offsetLocalHeader = 5294
fileComment = null
versionNeededToExtract = 10
generalPurposeFlag = {byte[2]@1819} [0, 0]
compressionMethod = {CompressionMethod@1820} "STORE"
lastModifiedTime = 1412516727
crc = 0
compressedSize = 0
uncompressedSize = 0
fileNameLength = 1
extraFieldLength = 0
fileName = "/"
isEncrypted = false
encryptionMethod = {EncryptionMethod@1822} "NONE"
dataDescriptorExists = false
zip64ExtendedInfo = null
aesExtraDataRecord = null
fileNameUTF8Encoded = false
extraDataRecords = null
isDirectory = true
signature = {HeaderSignature@1823} "CENTRAL_DIRECTORY"

Any solution to this? Is this a bug? Anyone had the same problem?

[Gr33nbl00d]

It seems like fix for #133 in commit ff3d3b3 caused that problem.
If found at least on windows new File (last line) in determineOutputFile method removes the trailing slash.

zip4j/src/main/java/net/lingala/zip4j/tasks/AbstractExtractFileTask.java

Line 165 in ed9eed5

return new File(outputPath + FILE_SEPARATOR + outputFileName);

new File("d:\test\2) --> d:\test

In fix #133 you have added a file seperator to the extraction path in order somone can not extract in a different folder name. Unfortunatly the result of determineOutputFile does not contain a slash in case its the relative root folder.

zip4j/src/main/java/net/lingala/zip4j/tasks/AbstractExtractFileTask.java

Line 52 in ed9eed5

String outputCanonicalPath = (new File(outputPath).getCanonicalPath()) + File.separator;

[srikanth-lingala]

@Gr33nbl00d Thanks for the PR. I merged your PR, but also made some slight adjustment to your PR. Instead of checking for just root directory, I now check if the outputFile is a directory, and append the fileSeparator if it is a directory. Can you please confirm if this change still works with your zip file?

[srikanth-lingala]

Fixed in v2.10.0 released today

[Gr33nbl00d]

I will check on wednesday if it still works. I have a day off tomorrow. Thanks for merging

[Gr33nbl00d]

Hi i have verified that the bugfix fixed the problem :)

[JLLeitschuh]

I think that #402 fixed a security vulnerability, is that indeed correct? If so, this should probably have a CVE assigned to it? Do you agree?

[JLLeitschuh]

Friendly ping to the Snky team:

• Benji @benjifin
• Leeya @leeyashalti