Fix path traversal vulnerability by plamentotev · Pull Request #261 · codehaus-plexus/plexus-archiver (original) (raw)

AbstractUnArchiver#extractFile uses String#startsWith to verify whether the target file is located inside the destination directory. This check gives false negative for cases such as /opt/directory and /opt/dir. /opt/directory starts with /opt/dir although it is not inside it. This is a limited path traversal vulnerability.

Fixes: #260