<html xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=utf-8"><meta name=Generator content="Microsoft Word 15 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:11.0pt;
font-family:"Calibri",sans-serif;}
.MsoChpDefault
{mso-style-type:export-only;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:70.85pt 70.85pt 2.0cm 70.85pt;}
div.WordSection1
{page:WordSection1;}
--></style></head><body lang=DE><div class=WordSection1><p class=MsoNormal><span lang=EN-US>Hello,<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>according to Snyk’s Zip Slip vulnerability report (the issue with file Name traversal by extracted Archives) was also sent to Oracle and since Java.util.zip.ZipEntry is a low-Level api the proper Action is changes to the documentation.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>https://github.com/snyk/zip-slip-vulnerability<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>I wonder if those changes are already published and where they are.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>(I am aware I wont get an answer if it is not yet published, but in that case the statement in the repo should be corrected to “not yet documented”).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Does the enhanced documentation also talk about the other classical Problems with Archive file entries like absolute path, control characters (linefeed) and illegal (for the local filesystem) characters? Does it also Mention Backslash? If not, I would think a warning might be needed for ZipEntry.getName.<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>The reason I am Looking into this is, because the solution with preparing the file path of canonized file names and parent is not Always possible if it will not directly be extracted or if the Performance Impact might be too high. For that reason rejecting some bad characters and structures on the string Level might be a good Thing (even if that would be a dangerous blacklist construct).<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p><p class=MsoNormal><span lang=EN-US>Gruss<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>Bernd<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US>-- <br>http://bernd.eckenfels.net<o:p></o:p></span></p><p class=MsoNormal><span lang=EN-US><o:p> </o:p></span></p></div></body></html>