diff --git a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java index 057ed1e..2c0cb52 100644 --- a/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java +++ b/common/src/main/java/cz/speedy11/mcrpx/common/util/ZipUtil.java @@ -99,6 +99,11 @@ public static void extractZip(File file, File destDirectory, ExtractTaskListener int elementCount = 0; while (zipEntries.hasMoreElements()) { ZipEntry zipEntry = zipEntries.nextElement(); + if (zipEntry.getName().contains("..")) { + listener.onMessage("Skipping " + zipEntry.getName() + ": Invalid path"); + continue; + } + try { listener.onMessage("Extracting " + zipEntry.getName()); try (InputStream entryInputStream = zipFile.getInputStream(zipEntry)) { @@ -141,6 +146,11 @@ public static void extractMinecraft(File file, File destDirectory, ExtractTaskLi int elementCount = 0; while (jarEntries.hasMoreElements()) { JarEntry jarEntry = jarEntries.nextElement(); + if (jarEntry.getName().contains("..")) { + listener.onMessage("Skipping " + jarEntry.getName() + ": Invalid path"); + continue; + } + if (jarEntry.getName().startsWith("assets/") && !jarEntry.isDirectory()) { listener.onMessage("Extracting " + jarEntry.getName()); try (InputStream entryInputStream = jarFile.getInputStream(jarEntry)) {