mirror of
https://gitdl.cn/https://github.com/chakralinux/core.git
synced 2025-02-06 00:57:32 +08:00
21 lines
882 B
Diff
21 lines
882 B
Diff
--- a/part/part.cpp
|
|
+++ b/part/part.cpp
|
|
@@ -558,8 +558,15 @@ void Part::slotPreviewExtracted(KJob *jo
|
|
if (!job->error()) {
|
|
const ArchiveEntry& entry =
|
|
m_model->entryForIndex(m_view->selectionModel()->currentIndex());
|
|
- const QString fullName =
|
|
- m_previewDir->name() + QLatin1Char( '/' ) + entry[ FileName ].toString();
|
|
+
|
|
+ QString fullName =
|
|
+ m_previewDir->name() + QLatin1Char('/') + entry[FileName].toString();
|
|
+
|
|
+ // Make sure a maliciously crafted archive with parent folders named ".." do
|
|
+ // not cause the previewed file path to be located outside the temporary
|
|
+ // directory, resulting in a directory traversal issue.
|
|
+ fullName.remove(QLatin1String("../"));
|
|
+
|
|
ArkViewer::view(fullName, widget());
|
|
} else {
|
|
KMessageBox::error(widget(), job->errorString());
|