CactiChameleon9/PrismLauncher
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix MMCZip bugs

Browse Source 
Signed-off-by: timoreo <contact@timoreo.fr>
This commit is contained in:
timoreo 2022-07-01 14:03:45 +02:00
parent a97387b692
commit 98a82cd484
No known key found for this signature in database
GPG Key ID: 121A72C3512BA288
1 changed files with 10 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
launcher/MMCZip.cpp
View File

@ -300,6 +300,11 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su
name.remove(0, subdir.size()); name.remove(0, subdir.size());
auto original_name = name; auto original_name = name;
// Fix subdirs/files ending with a / getting transformed into absolute paths
if(name.startsWith('/')){
name = name.mid(1);
}
// Fix weird "folders with a single file get squashed" thing // Fix weird "folders with a single file get squashed" thing
QString path; QString path;
if(name.contains('/') && !name.endsWith('/')){ if(name.contains('/') && !name.endsWith('/')){
@ -319,6 +324,11 @@ std::optional<QStringList> MMCZip::extractSubDir(QuaZip *zip, const QString & su
absFilePath = directory.absoluteFilePath(path + name); absFilePath = directory.absoluteFilePath(path + name);
} }
//Block potential file traversal issues
if(!absFilePath.startsWith(directory.absolutePath())){
qWarning() << "Potential file traversal issue, for path " << absFilePath << " with base name as " << directory.absolutePath();
continue;
}
if (!JlCompress::extractFile(zip, "", absFilePath)) if (!JlCompress::extractFile(zip, "", absFilePath))
{ {
qWarning() << "Failed to extract file" << original_name << "to" << absFilePath; qWarning() << "Failed to extract file" << original_name << "to" << absFilePath;