Extract archives in a separate directory from the input archive - Githubissues

sparkle-project / Sparkle

A software update framework for macOS

https://sparkle-project.org

Other

7.28k stars 1.04k forks source link

Extract archives in a separate directory from the input archive #2550

Closed zorgiepoo closed 2 months ago

zorgiepoo commented 2 months ago

Fixes #960 and may later help me work around #2544

This also fixes a vulnerability issue where an attacker could overwrite the input archive file since it resided in the same directory as the one being extracted into.

Misc Checklist

[ ] My change requires a documentation update on Sparkle's website repository
[ ] My change requires changes to generate_appcast, generate_keys, or sign_update

Testing

I tested and verified my change by using one or multiple of these methods:

[x] Sparkle Test App
[x] Unit Tests
[x] My own app
[ ] Other (please specify)

Tested extracting app update with a test app from:

[x] zip files
[x] tar* files
[x] binary delta files
[x] dmg files (with Applications alias)
[x] archived pkg files
[x] bare pkg file
[x] generating new updates using generate_appcast works

macOS version tested: 14.4.1 (23E224)