From e809e38295fb9367b718fb8fd9b567aafc6f27c9 Mon Sep 17 00:00:00 2001
From: myk1343 <75473184+myk1343@users.noreply.github.com>
Date: Tue, 28 May 2024 18:07:04 +0800
Subject: [PATCH] fix: Zip Path Traversal (#181)

Zip Path Traversal

Bug: https://pms.uniontech.com/bug-view-232873.html

Log: Zip Path Traversal
---
 3rdparty/libzipplugin/libzipplugin.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/3rdparty/libzipplugin/libzipplugin.cpp b/3rdparty/libzipplugin/libzipplugin.cpp
index c872778c..3c64fd6a 100644
--- a/3rdparty/libzipplugin/libzipplugin.cpp
+++ b/3rdparty/libzipplugin/libzipplugin.cpp
@@ -761,6 +761,11 @@ ErrorType LibzipPlugin::extractEntry(zip_t *archive, zip_int64_t index, const Ex
     }
 
     strFileName = m_common->trans2uft8(statBuffer.name, m_mapFileCode[index]);    // 解压文件名（压缩包中）
+    //fix 232873
+    if(strFileName.indexOf("../") != -1) {
+        qInfo() << "skipped ../ path component(s) in " << strFileName;
+        strFileName = strFileName.replace("../", "");
+    }
     if(strFileName.contains(QLatin1Char('\\')))
         strFileName = strFileName.replace(QLatin1Char('\\'), QDir::separator());
     QString strOriginName = strFileName;