diff --git a/.github/workflows/CI_build.yml b/.github/workflows/CI_build.yml index 105de395..61127752 100644 --- a/.github/workflows/CI_build.yml +++ b/.github/workflows/CI_build.yml @@ -2,7 +2,7 @@ name: CI_build on: [push, pull_request] jobs: build: - runs-on: windows-latest + runs-on: windows-2022 strategy: fail-fast: false matrix: diff --git a/src/winmain.cpp b/src/winmain.cpp index 137b36fc..48dc49d8 100644 --- a/src/winmain.cpp +++ b/src/winmain.cpp @@ -542,6 +542,22 @@ bool decompress(const wstring& zipFullFilePath, const wstring& unzipDestTo) wstring extraitFullFilePath = unzipDestTo; PathAppend(extraitFullFilePath, file2extrait); + // Zip slip fix: canonicalize and verify path stays within unzipDestTo + wchar_t canonicalDest[MAX_PATH]; + wchar_t canonicalRoot[MAX_PATH]; + if (!GetFullPathNameW(extraitFullFilePath.c_str(), MAX_PATH, canonicalDest, nullptr) || + !GetFullPathNameW(unzipDestTo.c_str(), MAX_PATH, canonicalRoot, nullptr)) + return false; + + // Ensure canonicalDest starts with canonicalRoot + backslash + wstring destStr(canonicalDest); + wstring rootStr(canonicalRoot); + if (rootStr.back() != L'\\') rootStr += L'\\'; + if (destStr.substr(0, rootStr.size()) != rootStr) + { + // Path traversal attempt - skip this entry + continue; + } // file2extrait be separated into an array vector strArray = tokenizeString(file2extrait, '/'); @@ -1284,17 +1300,6 @@ bool isAppProcess(const wchar_t* wszAppMutex) int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE, PWSTR lpszCmdLine, int) { - /* - { - wstring destPath = L"C:\\tmp\\res\\TagsView"; - wstring dlDest = L"C:\\tmp\\pb\\TagsView_Npp_03beta.zip"; - bool isSuccessful = decompress(dlDest, destPath); - if (isSuccessful) - { - return 0; - } - } - */ // Debug use - stop here so we can attach this process for debugging //::MessageBox(NULL, L"And do something dirty to me ;)", L"Attach me!", MB_OK); diff --git a/vcproj/GUP.vcxproj b/vcproj/GUP.vcxproj index a3071c99..06d3d0c5 100644 --- a/vcproj/GUP.vcxproj +++ b/vcproj/GUP.vcxproj @@ -34,35 +34,7 @@ true - - Application - v143 - Unicode - true - - - Application - v143 - Unicode - true - - - Application - v143 - Unicode - true - - - Application - v143 - Unicode - - - Application - v143 - Unicode - - + Application v143 Unicode