mirror of
https://github.com/yuzu-emu/yuzu-android.git
synced 2025-01-12 08:15:36 +00:00
android: Fix potential zip traversal exploit
This commit is contained in:
parent
d1fb7ea58b
commit
3281dc597e
|
@ -7,6 +7,7 @@ import android.content.Context
|
||||||
import android.net.Uri
|
import android.net.Uri
|
||||||
import org.yuzu.yuzu_emu.NativeLibrary
|
import org.yuzu.yuzu_emu.NativeLibrary
|
||||||
import org.yuzu.yuzu_emu.utils.FileUtil.copyUriToInternalStorage
|
import org.yuzu.yuzu_emu.utils.FileUtil.copyUriToInternalStorage
|
||||||
|
import java.io.BufferedInputStream
|
||||||
import java.io.File
|
import java.io.File
|
||||||
import java.io.FileInputStream
|
import java.io.FileInputStream
|
||||||
import java.io.FileOutputStream
|
import java.io.FileOutputStream
|
||||||
|
@ -28,12 +29,17 @@ object GpuDriverHelper {
|
||||||
if (!dir.exists()) dir.mkdirs()
|
if (!dir.exists()) dir.mkdirs()
|
||||||
|
|
||||||
// Unpack the files.
|
// Unpack the files.
|
||||||
val zis = ZipInputStream(FileInputStream(zipFilePath))
|
val inputStream = FileInputStream(zipFilePath)
|
||||||
|
val zis = ZipInputStream(BufferedInputStream(inputStream))
|
||||||
val buffer = ByteArray(1024)
|
val buffer = ByteArray(1024)
|
||||||
var ze = zis.nextEntry
|
var ze = zis.nextEntry
|
||||||
while (ze != null) {
|
while (ze != null) {
|
||||||
val fileName = ze.name
|
val newFile = File(destDir, ze.name)
|
||||||
val newFile = File(destDir + fileName)
|
val canonicalPath = newFile.canonicalPath
|
||||||
|
if (!canonicalPath.startsWith(destDir + ze.name)) {
|
||||||
|
throw SecurityException("Zip file attempted path traversal! " + ze.name)
|
||||||
|
}
|
||||||
|
|
||||||
newFile.parentFile!!.mkdirs()
|
newFile.parentFile!!.mkdirs()
|
||||||
val fos = FileOutputStream(newFile)
|
val fos = FileOutputStream(newFile)
|
||||||
var len: Int
|
var len: Int
|
||||||
|
|
Loading…
Reference in a new issue