路徑遍歷:ZIP條目覆蓋
程序在解壓zip文件時,如果沒有驗證zip條目,攻擊者可能對條目覆蓋,從而造成路徑遍歷
例如:以下代碼示例解壓zip文件。
static final int BUFFER = 512;
// . ..
BufferedOutputStream dest = null;
FileInputStream fis = new FileInputStream(filename);
ZipInputStream zis = new ZipInputStream(new BufferedInputStream(fis));
ZipEntry entry;
while ((entry = zis.getNextEntry()) != null) {
System.out.println("Extracting: " + entry);
int count;
byte data[] = new byte[BUFFER];
String fileName = entry.getName();
if (entry.isDirectory()){
new File(fileName ).mkdir();
continue;
}
// write the files to the disk
FileOutputStream fos = new FileOutputStream(fileName );
dest = new BufferedOutputStream(fos, BUFFER);
while ((count = zis.read(data, 0, BUFFER)) != -1) {
dest.write(data, 0, count);
}
dest.flush();
dest.close();
}
...
zis.close();
代碼示例未驗證zipEntry.getName(),如果zip文件放在/tmp/目錄中,zip條目為../etc/hosts,且應用程序在必要的權限下運行,則會導致系統的hosts文件被覆蓋。
路徑遍歷:ZIP條目覆蓋