mirror of
https://github.com/maride/afl-transmit.git
synced 2024-11-24 16:14:25 +00:00
Poorly protect against directory traversal
This commit is contained in:
parent
02df628076
commit
e06e7f204c
@ -10,6 +10,7 @@ import (
|
||||
"log"
|
||||
"os"
|
||||
"path"
|
||||
"strings"
|
||||
)
|
||||
|
||||
// UnpackInto decrompesses the given bytes with DEFLATE, then unpacks the result as TAR archive into the targetDir
|
||||
@ -66,6 +67,12 @@ func unpackSingleFile(raw []byte, targetDirectory string, filename string) {
|
||||
return
|
||||
}
|
||||
|
||||
// Check if some funny stuff is going on
|
||||
if strings.Contains(targetDirectory, "..") || strings.Contains(filename, "..") {
|
||||
log.Printf("Skipping traversal filename: %s", filename)
|
||||
return
|
||||
}
|
||||
|
||||
// Check if the target directory already exists - otherwise we create it
|
||||
dirOfFile := path.Dir(fmt.Sprintf("%s%c%s", targetDirectory, os.PathSeparator, filename))
|
||||
_, dirInfoErr := os.Stat(dirOfFile)
|
||||
|
Loading…
Reference in New Issue
Block a user