Commit `242102f9d1`

Frank Denis <github@pureftpd.org>

2025-08-07 23:08:14

std/zip.zig: perform backslash-to-forward-slash before isBadFilename()

Previously, when extracting a ZIP file, isBadFilename(), which is designed to reject ../ patterns to prevent directory traversal, was called before normalizing backslashes to forward slashes. This allowed path traversal sequences like ..\\..\\..\\etc\\passwd which pass validation but are then converted to ../../../etc/passwd for file extraction.

master

1 parent 6de2310

Changed files (1)

lib

std

zip.zig

@@ -536,9 +536,6 @@ pub const Iterator = struct {
                     @as(u64, local_header.extra_len);
             };
 
-            if (isBadFilename(filename))
-                return error.ZipBadFilename;
-
             if (options.allow_backslashes) {
                 std.mem.replaceScalar(u8, filename, '\\', '/');
             } else {
@@ -546,6 +543,9 @@ pub const Iterator = struct {
                     return error.ZipFilenameHasBackslash;
             }
 
+            if (isBadFilename(filename))
+                return error.ZipBadFilename;
+
             // All entries that end in '/' are directories
             if (filename[filename.len - 1] == '/') {
                 if (self.uncompressed_size != 0)

Commit 242102f9d1

Commit `242102f9d1`