Open omermircor opened 5 months ago
adamhathcock
commented
5 months ago There was to avoid a specific vulnerability to not allow extraction outside the destination directory:
https://github.com/adamhathcock/sharpcompress/pull/374/files
Path.Join does not seem applicable.
Ilanlido
commented
5 months ago @adamhathcock Hi, i would've assume that if my destination folder is /root2 and the directory inside the zip is for example /root/file.txt then it will be extracted to /root2/root/file.txt (just like if i extract the zip manually on my pc)
adamhathcock
commented
5 months ago again, the linked PR prevents extraction to directories outside of the current one
Ilanlido
commented
5 months ago I understand, again, i didn't expect it to extract to outside directories i'm expecting it to extract the full path into my desired destination folder - the problem is that when using Path.Combine("/root","/root2/test.txt") it will return "/root2/test.txt" instead of "/root/root2/test.txt"
adamhathcock
commented
5 months ago These are just convenance methods. You don't have to use them. You can write your own to write entries to whatever you like and however you like.
Hi, When I call WriteEntryToDirectory with entry key that is rooted for example '/root/file.txt' and the directory '/root2' as param. the code fails with Entry is trying to create a directory outside of the destination directory. The reason for that is Path.Combine ignore the directory path param. The solution should be move use Path.Join.