public void process(InputStream in, ZipEntry zipEntry) throws IOException { String name = mapper.map(zipEntry.getName()); if (name != null) { File file = makeDestinationFile(outputDir, name); if (zipEntry.isDirectory()) { FileUtils.forceMkdir(file); } else { FileUtils.forceMkdir(file.getParentFile()); if (log.isDebugEnabled() && file.exists()) { log.debug("Overwriting file '{}'.", zipEntry.getName()); } FileUtils.copy(in, file); } ZTFilePermissions permissions = ZipEntryUtil.getZTFilePermissions(zipEntry); if (permissions != null) { ZTFilePermissionsUtil.getDefaultStategy().setPermissions(file, permissions); } } } }
public void process(InputStream in, ZipEntry zipEntry) throws IOException { String name = mapper.map(zipEntry.getName()); if (name != null) { File file = new File(outputDir, name); /* If we see the relative traversal string of ".." we need to make sure * that the outputdir + name doesn't leave the outputdir. See * DirectoryTraversalMaliciousTest for details. */ if (name.indexOf("..") != -1 && !file.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) { throw new ZipException("The file "+name+" is trying to leave the target output directory of "+outputDir+". Ignoring this file."); } if (zipEntry.isDirectory()) { FileUtils.forceMkdir(file); } else { FileUtils.forceMkdir(file.getParentFile()); if (log.isDebugEnabled() && file.exists()) { log.debug("Overwriting file '{}'.", zipEntry.getName()); } FileUtils.copy(in, file); } ZTFilePermissions permissions = ZipEntryUtil.getZTFilePermissions(zipEntry); if (permissions != null) { ZTFilePermissionsUtil.getDefaultStategy().setPermissions(file, permissions); } } } }