Skip to content
Closed
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion .github/workflows/CI_build.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ name: CI_build
on: [push, pull_request]
jobs:
build:
runs-on: windows-latest
runs-on: windows-2022
strategy:
fail-fast: false
matrix:
Expand Down
27 changes: 16 additions & 11 deletions src/winmain.cpp
Original file line number Diff line number Diff line change
Expand Up @@ -542,6 +542,22 @@ bool decompress(const wstring& zipFullFilePath, const wstring& unzipDestTo)
wstring extraitFullFilePath = unzipDestTo;
PathAppend(extraitFullFilePath, file2extrait);

// Zip slip fix: canonicalize and verify path stays within unzipDestTo
wchar_t canonicalDest[MAX_PATH];
wchar_t canonicalRoot[MAX_PATH];
if (!GetFullPathNameW(extraitFullFilePath.c_str(), MAX_PATH, canonicalDest, nullptr) ||
!GetFullPathNameW(unzipDestTo.c_str(), MAX_PATH, canonicalRoot, nullptr))
return false;

// Ensure canonicalDest starts with canonicalRoot + backslash
wstring destStr(canonicalDest);
wstring rootStr(canonicalRoot);
if (rootStr.back() != L'\\') rootStr += L'\\';
if (destStr.substr(0, rootStr.size()) != rootStr)
{
// Path traversal attempt - skip this entry
continue;
}

// file2extrait be separated into an array
vector<wstring> strArray = tokenizeString(file2extrait, '/');
Expand Down Expand Up @@ -1284,17 +1300,6 @@ bool isAppProcess(const wchar_t* wszAppMutex)

int WINAPI wWinMain(HINSTANCE hInstance, HINSTANCE, PWSTR lpszCmdLine, int)
{
/*
{
wstring destPath = L"C:\\tmp\\res\\TagsView";
wstring dlDest = L"C:\\tmp\\pb\\TagsView_Npp_03beta.zip";
bool isSuccessful = decompress(dlDest, destPath);
if (isSuccessful)
{
return 0;
}
}
*/
// Debug use - stop here so we can attach this process for debugging
//::MessageBox(NULL, L"And do something dirty to me ;)", L"Attach me!", MB_OK);

Expand Down
30 changes: 1 addition & 29 deletions vcproj/GUP.vcxproj
Original file line number Diff line number Diff line change
Expand Up @@ -34,35 +34,7 @@
<WindowsSDKDesktopARM64Support>true</WindowsSDKDesktopARM64Support>
</PropertyGroup>
<Import Project="$(VCTargetsPath)\Microsoft.Cpp.Default.props" />
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Release|ARM64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
<WholeProgramOptimization>true</WholeProgramOptimization>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|Win32'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|x64'" Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
</PropertyGroup>
<PropertyGroup Condition="'$(Configuration)|$(Platform)'=='Debug|ARM64'" Label="Configuration">
<PropertyGroup Label="Configuration">
<ConfigurationType>Application</ConfigurationType>
<PlatformToolset>v143</PlatformToolset>
<CharacterSet>Unicode</CharacterSet>
Expand Down
Loading