Skip to content

DTF vulnerable to "Zip Slip" #6075

New issue
New issue
Closed
bug
Closed
DTF vulnerable to "Zip Slip"#6075
bug
wixtoolset/wix3
#497
 (+1)
Assignees
firegiantco
Labels
dtf
Milestone
v3.x
@firegiantco

Description

@firegiantco
firegiantco
opened on Sep 12, 2019

Please provide answers to the following questions to help us narrow down, reproduce, and fix the problem. Fill out one section and delete the others.

  • Which version of WiX are you building with?

WiX v3.11.1

  • Which version of Visual Studio are you building with (if any)?

N/A

  • Which version of the WiX Toolset Visual Studio Extension are you building with (if any)?

N/A

  • Which version of .NET are you building with?

Any

  • If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?

N/A

  • Describe the problem and the steps to reproduce it.

A maliciously crafted cabinet or zip file can be created with traversal paths in the archived file names. For example, ..\..\hackedu.dll. DTF's ArchiveFileStreamContext will concatenate the archived file path with a provided base directory, such that the traversal path can place the file outside the provided base directory and possibly overwriting the user's files. This is known as Zip Slip.

  • Describe the behavior you expected and how it differed from the actual behavior.

DTF should not write files outside the extraction folder.

This issue was originally reported by Devin Casadey.

Metadata

Metadata

Assignees

Labels

dtf

Type

bug

Projects

No projects

Milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions