From 857095da5153fd18504b46f276d84f1e76a66970 Mon Sep 17 00:00:00 2001
From: Stefan Bodewig <bodewig@apache.org>
Date: Sat, 5 May 2018 17:28:12 +0200
Subject: [PATCH] change stripAbsolutePathSpec's default, credit Snyk

---
 WHATSNEW                                           |  4 +++-
 manual/Tasks/unzip.html                            |  3 ++-
 src/main/org/apache/tools/ant/taskdefs/Expand.java |  2 +-
 src/tests/antunit/taskdefs/unzip-test.xml          | 10 +++++-----
 4 files changed, 11 insertions(+), 8 deletions(-)

diff --git a/WHATSNEW b/WHATSNEW
index a87bd817c..8834fadcc 100644
--- a/WHATSNEW
+++ b/WHATSNEW
@@ -9,10 +9,12 @@ Changes that could break older environments:
    destination directory anymore by default. A new attribute
    allowFilesToEscapeDest can be used to override the behavior.
    Another special case is when stripAbsolutePathSpec is false (which
-   still is the default) and the entry's name starts with a
+   no longer is the default) and the entry's name starts with a
    (back)slash and allowFilesToEscapeDest hasn't been specified
    explicitly, in this case the file may be created outside of the
    dest directory as well.
+   In addition stripAbsolutePathSpec is now true by default.
+   Based on a recommendation by the Snyk Security Research Team.
 
 Fixed bugs:
 -----------
diff --git a/manual/Tasks/unzip.html b/manual/Tasks/unzip.html
index 95b3afdb9..dbf4a16c7 100644
--- a/manual/Tasks/unzip.html
+++ b/manual/Tasks/unzip.html
@@ -126,7 +126,8 @@ archive.</p>
       Note that this changes the entry's name before applying
       include/exclude patterns and before using the nested mappers (if
       any).  <em>since Ant 1.8.0</em></td>
-    <td valign="top" align="center">No, defaults to false</td>
+    <td valign="top" align="center">No, defaults to true since 1.9.12
+      (used to defaukt to false prior to that)</td>
   </tr>
   <tr>
     <td valign="top">scanForUnicodeExtraFields</td>
diff --git a/src/main/org/apache/tools/ant/taskdefs/Expand.java b/src/main/org/apache/tools/ant/taskdefs/Expand.java
index a3a27452d..3f83b655e 100644
--- a/src/main/org/apache/tools/ant/taskdefs/Expand.java
+++ b/src/main/org/apache/tools/ant/taskdefs/Expand.java
@@ -67,7 +67,7 @@ public class Expand extends Task {
     private Union resources = new Union();
     private boolean resourcesSpecified = false;
     private boolean failOnEmptyArchive = false;
-    private boolean stripAbsolutePathSpec = false;
+    private boolean stripAbsolutePathSpec = true;
     private boolean scanForUnicodeExtraFields = true;
     private Boolean allowFilesToEscapeDest = null;
 
diff --git a/src/tests/antunit/taskdefs/unzip-test.xml b/src/tests/antunit/taskdefs/unzip-test.xml
index a220bc186..bdf5f61e1 100644
--- a/src/tests/antunit/taskdefs/unzip-test.xml
+++ b/src/tests/antunit/taskdefs/unzip-test.xml
@@ -101,16 +101,16 @@ public class A {
     <available property="can-write-to-tmp!" file="/tmp/testdir/"/>
   </target>
 
-  <target name="testEntriesCanEscapeDestViaAbsolutePathByDefault"
+  <target name="testEntriesCanEscapeDestViaAbsolutePathIfPermitted"
           depends="-can-write-to-tmp?" if="can-write-to-tmp!">
-    <unzip src="zip/direscape-absolute.zip" dest="${output}"/>
+    <unzip src="zip/direscape-absolute.zip" dest="${output}"
+           stripAbsolutePathSpec="false"/>
     <au:assertFileExists file="/tmp/testdir/a"/>
   </target>
 
-  <target name="testEntriesDontEscapeDestViaAbsolutePathIfProhibited"
+  <target name="testEntriesDontEscapeDestViaAbsolutePathByDefault"
           depends="-can-write-to-tmp?" if="can-write-to-tmp!">
-    <unzip src="zip/direscape-absolute.zip" dest="${output}"
-           allowFilesToEscapeDest="false"/>
+    <unzip src="zip/direscape-absolute.zip" dest="${output}"/>
     <au:assertFileDoesntExist file="/tmp/testdir/a"/>
   </target>
 </project>