infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

A more robust path resolution 

and better readable is_child_of? method
master
Sonny Gonzalez 2019-04-12 11:01:14 -05:00
parent 6bf824d200
commit 04dcd8a1f9
No known key found for this signature in database
GPG Key ID: CB9B0D55493F72DA
1 changed files with 2 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/db_manager/import/metasploit_framework/zip.rb
View File

@ -195,7 +195,7 @@ module Msf::DBManager::Import::MetasploitFramework::Zip
data.entries.each do |e|
# normalize entry name to an absolute path
target = (Pathname.new(@import_filedata[:zip_tmp]) + e.name).to_s
target = File.expand_path(@import_filedata[:zip_tmp] + e.name, '/').to_s
# skip if the target would be extracted outside of the zip
# tmp dir to mitigate any directory traversal attacks
@ -244,6 +244,6 @@ module Msf::DBManager::Import::MetasploitFramework::Zip
end
def is_child_of?(target_dir, target)
target.match?(/^#{target_dir}/)
target.downcase.start_with?(target_dir.downcase)
end
end