Stefan Bodewig
7 years ago
4 changed files with 11 additions and 8 deletions
Unified View
Diff Options
-
+3 -1WHATSNEW
-
+2 -1manual/Tasks/unzip.html
-
+1 -1src/main/org/apache/tools/ant/taskdefs/Expand.java
-
+5 -5src/tests/antunit/taskdefs/unzip-test.xml
+ 3
- 1
WHATSNEW
View File
| @@ -9,10 +9,12 @@ Changes that could break older environments: | |||||
| destination directory anymore by default. A new attribute | destination directory anymore by default. A new attribute | ||||
| allowFilesToEscapeDest can be used to override the behavior. | allowFilesToEscapeDest can be used to override the behavior. | ||||
| Another special case is when stripAbsolutePathSpec is false (which | Another special case is when stripAbsolutePathSpec is false (which | ||||
| still is the default) and the entry's name starts with a | |||||
| no longer is the default) and the entry's name starts with a | |||||
| (back)slash and allowFilesToEscapeDest hasn't been specified | (back)slash and allowFilesToEscapeDest hasn't been specified | ||||
| explicitly, in this case the file may be created outside of the | explicitly, in this case the file may be created outside of the | ||||
| dest directory as well. | dest directory as well. | ||||
| In addition stripAbsolutePathSpec is now true by default. | |||||
| Based on a recommendation by the Snyk Security Research Team. | |||||
| Fixed bugs: | Fixed bugs: | ||||
| ----------- | ----------- | ||||
+ 2
- 1
manual/Tasks/unzip.html
View File
| @@ -108,7 +108,8 @@ extract an Ant generated ZIP archive.</p> | |||||
| name before extracting it. Note that this changes the entry name before | name before extracting it. Note that this changes the entry name before | ||||
| applying <code>include</code>/<code>exclude</code> patterns and before using the nested | applying <code>include</code>/<code>exclude</code> patterns and before using the nested | ||||
| mappers (if any). <em>since Ant 1.8.0</em></td> | mappers (if any). <em>since Ant 1.8.0</em></td> | ||||
| <td>No; defaults to <q>false</q></td> | |||||
| <td>No; defaults to <q>true</q> since 1.10.4 | |||||
| (used to defaukt to <q>false</q> prior to that)</td> | |||||
| </tr> | </tr> | ||||
| <tr> | <tr> | ||||
| <td>scanForUnicodeExtraFields</td> | <td>scanForUnicodeExtraFields</td> | ||||
+ 1
- 1
src/main/org/apache/tools/ant/taskdefs/Expand.java
View File
| @@ -75,7 +75,7 @@ public class Expand extends Task { | |||||
| private Union resources = new Union(); | private Union resources = new Union(); | ||||
| private boolean resourcesSpecified = false; | private boolean resourcesSpecified = false; | ||||
| private boolean failOnEmptyArchive = false; | private boolean failOnEmptyArchive = false; | ||||
| private boolean stripAbsolutePathSpec = false; | |||||
| private boolean stripAbsolutePathSpec = true; | |||||
| private boolean scanForUnicodeExtraFields = true; | private boolean scanForUnicodeExtraFields = true; | ||||
| private Boolean allowFilesToEscapeDest = null; | private Boolean allowFilesToEscapeDest = null; | ||||
+ 5
- 5
src/tests/antunit/taskdefs/unzip-test.xml
View File
| @@ -101,16 +101,16 @@ public class A { | |||||
| <available property="can-write-to-tmp!" file="/tmp/testdir/"/> | <available property="can-write-to-tmp!" file="/tmp/testdir/"/> | ||||
| </target> | </target> | ||||
| <target name="testEntriesCanEscapeDestViaAbsolutePathByDefault" | |||||
| <target name="testEntriesCanEscapeDestViaAbsolutePathIfPermitted" | |||||
| depends="-can-write-to-tmp?" if="can-write-to-tmp!"> | depends="-can-write-to-tmp?" if="can-write-to-tmp!"> | ||||
| <unzip src="zip/direscape-absolute.zip" dest="${output}"/> | |||||
| <unzip src="zip/direscape-absolute.zip" dest="${output}" | |||||
| stripAbsolutePathSpec="false"/> | |||||
| <au:assertFileExists file="/tmp/testdir/a"/> | <au:assertFileExists file="/tmp/testdir/a"/> | ||||
| </target> | </target> | ||||
| <target name="testEntriesDontEscapeDestViaAbsolutePathIfProhibited" | |||||
| <target name="testEntriesDontEscapeDestViaAbsolutePathByDefault" | |||||
| depends="-can-write-to-tmp?" if="can-write-to-tmp!"> | depends="-can-write-to-tmp?" if="can-write-to-tmp!"> | ||||
| <unzip src="zip/direscape-absolute.zip" dest="${output}" | |||||
| allowFilesToEscapeDest="false"/> | |||||
| <unzip src="zip/direscape-absolute.zip" dest="${output}"/> | |||||
| <au:assertFileDoesntExist file="/tmp/testdir/a"/> | <au:assertFileDoesntExist file="/tmp/testdir/a"/> | ||||
| </target> | </target> | ||||
| </project> | </project> | ||||