mc-in-work/PrismLauncher
1
0
Fork 0
mirror of https://github.com/PrismLauncher/PrismLauncher.git synced 2026-06-29 01:54:20 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix atl path traversal

Browse source 
Signed-off-by: Trial97 <alexandru.tripon97@gmail.com>
This commit is contained in:
Trial97 2026-05-07 14:43:44 +03:00
parent ac7c8adea2
commit 4cbfe7fb0e
1 changed files with 19 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

19
launcher/modplatform/atlauncher/ATLPackInstallTask.cpp
View file

@ -59,6 +59,16 @@
#include "BuildConfig.h"
#include "ui/dialogs/BlockedModsDialog.h"
namespace {
bool isPathTraversal(const QString& basePath, const QString& entryName)
{
auto safeName = FS::RemoveInvalidPathChars(entryName);
auto fullPath = FS::PathCombine(basePath, safeName);
auto baseUrl = QUrl::fromLocalFile(basePath);
return !baseUrl.isParentOf(QUrl::fromLocalFile(fullPath));
}
} // namespace
namespace ATLauncher {
static Meta::Version::Ptr getComponentVersion(const QString& uid, const QString& version);
@ -938,6 +948,10 @@ bool PackInstallTask::extractMods(const QMap<QString, VersionMod>& toExtract,
folderToExtract = mod.extractFolder;
static const QRegularExpression s_regex("^/");
folderToExtract.remove(s_regex);
if (isPathTraversal(extractToPath, folderToExtract)) {
qWarning() << "Blocked path traversal in" << mod.extractFolder;
return false;
}
}
qDebug() << "Extracting " + mod.file + " to " + extractToDir;
@ -955,6 +969,11 @@ bool PackInstallTask::extractMods(const QMap<QString, VersionMod>& toExtract,
QDir extractDir(m_stagingPath);
auto extractToPath = FS::PathCombine(extractDir.absolutePath(), "minecraft", extractToDir, mod.decompFile);
if (isPathTraversal(extractToPath, mod.decompFile)) {
qWarning() << "Blocked path traversal in decompFile" << mod.decompFile;
return false;
}
qDebug() << "Extracting " + mod.decompFile + " to " + extractToDir;
if (!MMCZip::extractFile(modPath, mod.decompFile, extractToPath)) {
qWarning() << "Failed to extract" << mod.decompFile;