26 lines
1.0 KiB
Diff
26 lines
1.0 KiB
Diff
--- a/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:19:51.014184013 +0000
|
|
+++ b/src/main/java/org/codehaus/plexus/util/Expand.java 2026-05-20 09:20:05.847146005 +0000
|
|
@@ -116,9 +116,20 @@
|
|
{
|
|
File f = FileUtils.resolveFile( dir, entryName );
|
|
|
|
- if ( !f.getAbsolutePath().startsWith( dir.getAbsolutePath() ) )
|
|
+ try
|
|
+ {
|
|
+ String canonicalDirPath = dir.getCanonicalPath();
|
|
+ String canonicalFilePath = f.getCanonicalPath();
|
|
+
|
|
+ if ( !canonicalFilePath.startsWith( canonicalDirPath + File.separator )
|
|
+ && !canonicalFilePath.equals( canonicalDirPath ) )
|
|
+ {
|
|
+ throw new IOException( "Entry '" + entryName + "' outside the target directory." );
|
|
+ }
|
|
+ }
|
|
+ catch ( IOException e )
|
|
{
|
|
- throw new IOException( "Entry '" + entryName + "' outside the target directory." );
|
|
+ throw new IOException( "Failed to verify entry path for '" + entryName + "'", e );
|
|
}
|
|
|
|
try
|