From e154be898e4ad81776886f501c42ed4c55eaa751 Mon Sep 17 00:00:00 2001 From: Don Ho Date: Wed, 17 Jun 2026 16:43:20 +0200 Subject: [PATCH 1/4] Fix Path Traversal (Zip Slip) issue --- src/winmain.cpp | 16 ++++++++++++++++ 1 file changed, 16 insertions(+) diff --git a/src/winmain.cpp b/src/winmain.cpp index 137b36fc..46402a53 100644 --- a/src/winmain.cpp +++ b/src/winmain.cpp @@ -542,6 +542,22 @@ bool decompress(const wstring& zipFullFilePath, const wstring& unzipDestTo) wstring extraitFullFilePath = unzipDestTo; PathAppend(extraitFullFilePath, file2extrait); + // Zip slip fix: canonicalize and verify path stays within unzipDestTo + wchar_t canonicalDest[MAX_PATH]; + wchar_t canonicalRoot[MAX_PATH]; + if (!GetFullPathNameW(extraitFullFilePath.c_str(), MAX_PATH, canonicalDest, nullptr) || + !GetFullPathNameW(unzipDestTo.c_str(), MAX_PATH, canonicalRoot, nullptr)) + return false; + + // Ensure canonicalDest starts with canonicalRoot + backslash + wstring destStr(canonicalDest); + wstring rootStr(canonicalRoot); + if (rootStr.back() != L'\\') rootStr += L'\\'; + if (destStr.substr(0, rootStr.size()) != rootStr) + { + // Path traversal attempt - skip this entry + continue; + } // file2extrait be separated into an array vector strArray = tokenizeString(file2extrait, '/'); From 08d992aa76a75fb0280666a3e54e247ee64871fd Mon Sep 17 00:00:00 2001 From: Don Ho Date: Wed, 17 Jun 2026 17:19:19 +0200 Subject: [PATCH 2/4] Fix ARM64 build error --- vcproj/GUP.vcxproj | 34 ++++------------------------------ 1 file changed, 4 insertions(+), 30 deletions(-) diff --git a/vcproj/GUP.vcxproj b/vcproj/GUP.vcxproj index a3071c99..e9cd6baf 100644 --- a/vcproj/GUP.vcxproj +++ b/vcproj/GUP.vcxproj @@ -34,37 +34,11 @@ true - + Application - v143 - Unicode - true - - - Application - v143 - Unicode - true - - - Application - v143 - Unicode - true - - - Application - v143 - Unicode - - - Application - v143 - Unicode - - - Application - v143 + v145 + v143 + v143 Unicode From f98493dab44cda3562bd651ae2ea1d9948aa170a Mon Sep 17 00:00:00 2001 From: Don Ho Date: Wed, 17 Jun 2026 18:15:06 +0200 Subject: [PATCH 3/4] Fix ARM64 build error --- .github/workflows/CI_build.yml | 2 +- vcproj/GUP.vcxproj | 4 +--- 2 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.github/workflows/CI_build.yml b/.github/workflows/CI_build.yml index 105de395..61127752 100644 --- a/.github/workflows/CI_build.yml +++ b/.github/workflows/CI_build.yml @@ -2,7 +2,7 @@ name: CI_build on: [push, pull_request] jobs: build: - runs-on: windows-latest + runs-on: windows-2022 strategy: fail-fast: false matrix: diff --git a/vcproj/GUP.vcxproj b/vcproj/GUP.vcxproj index e9cd6baf..06d3d0c5 100644 --- a/vcproj/GUP.vcxproj +++ b/vcproj/GUP.vcxproj @@ -36,9 +36,7 @@ Application - v145 - v143 - v143 + v143 Unicode From 24217ac711437652fc144e0351d416494f0887a1 Mon Sep 17 00:00:00 2001 From: Don Ho Date: Wed, 17 Jun 2026 18:27:53 +0200 Subject: [PATCH 4/4] Remove unnecessary comment --- src/winmain.cpp | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/src/winmain.cpp b/src/winmain.cpp index 46402a53..48dc49d8 100644 --- a/src/winmain.cpp +++ b/src/winmain.cpp @@ -1300,17 +1300,6 @@ bool isAppProcess(const wchar_t* wszAppMutex) int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE, PWSTR lpszCmdLine, int) { - /* - { - wstring destPath = L"C:\\tmp\\res\\TagsView"; - wstring dlDest = L"C:\\tmp\\pb\\TagsView_Npp_03beta.zip"; - bool isSuccessful = decompress(dlDest, destPath); - if (isSuccessful) - { - return 0; - } - } - */ // Debug use - stop here so we can attach this process for debugging //::MessageBox(NULL, L"And do something dirty to me ;)", L"Attach me!", MB_OK);