[ https://issues.apache.org/jira/browse/COMPRESS-495?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Stefan Bodewig resolved COMPRESS-495. ------------------------------------- Resolution: Fixed I've removed the complete EXTRACT code from the CLI class, it shouldn't be used anyway. Thanks again. > Zip Slip in SevenZ CLI > ---------------------- > > Key: COMPRESS-495 > URL: https://issues.apache.org/jira/browse/COMPRESS-495 > Project: Commons Compress > Issue Type: Bug > Components: Archivers > Reporter: Gabor Molnar > Priority: Major > Labels: 7zip > Fix For: 1.20 > > > The SevenZ decompressor doesn't check that the file to be extracted is > escaping the current directory or not. > Vulnerable code: > [https://github.com/apache/commons-compress/blob/26b78cecfc1ca0e5daf03109b2c441f960bde678/src/main/java/org/apache/commons/compress/archivers/sevenz/CLI.java#L67] > In another place in the repository, there is a safe implementation that was > added as an example when the Zip Slip vulnerability was originally published: > https://github.com/apache/commons-compress/blob/1a14a23a05f7104e3d41a25a0f7e78ae1556285e/src/main/java/org/apache/commons/compress/archivers/examples/Expander.java#L308 -- This message was sent by Atlassian Jira (v8.3.4#803005)