TrueZIP
  1. TrueZIP
  2. TRUEZIP-344

TFile.listFiles does not work correctly for archives containing entries with absolute paths

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: TrueZIP 7.7.5, TrueZIP 7.7.6
    • Fix Version/s: TrueZIP 7.7.7
    • Component/s: None
    • Labels:
      None

      Description

      Hi,

      On zip archives containing entries with absolute paths, the method TFile.listFiles returns the archive itself rather than the entries in the archive. Here's some sample code:

      package test;
      
      import de.schlichtherle.truezip.file.TFile;
      
      public class Test {
      
      	public static void main(String[] args) {
      		String path = "C:\\test.zip";
      		TFile file = new TFile(path);
      		for (TFile child : file.listFiles()) {
      			System.out.println(child.getAbsolutePath());
      		}
      	}
      
      }
      

      The output of the above program is "C:\test.zip" rather than a path pointing to the file inside the archive.

      listFiles returning the archive itself has the unfortunate effect of crashing the program with a StackOverflowError, if the program traverses the file system recursively and comes across an archive with absolute entries.

      Best regards
      Quang

        Issue Links

          Activity

          Hide
          qforce added a comment -

          Note: I have the "test.zip" file that is used in the code above, but I can't find a way to attach it to this bug report. If you need the test file, just tell me where to send it to.

          Show
          qforce added a comment - Note: I have the "test.zip" file that is used in the code above, but I can't find a way to attach it to this bug report. If you need the test file, just tell me where to send it to.
          Hide
          qforce added a comment -

          Another remark: The above problem was found on Windows, but not on Linux.

          Show
          qforce added a comment - Another remark: The above problem was found on Windows, but not on Linux.
          Hide
          Christian Schlichtherle added a comment -

          Entries with absolute path names should be ignored and there should be no way you can address them because they are considered to be a security threat. So if "C:
          test.zip" contains nothing but entries with absolute path names, then .listFiles() should return an empty array, just as if the app would encounter an empty directory. Can you verify this behavior with TrueZIP 7.7.6 please or change the initial path to be relative? I suspect this is a Windows specific issue.

          Please add the ZIP file in question. You can attach it in the Operations menu on the left.

          Show
          Christian Schlichtherle added a comment - Entries with absolute path names should be ignored and there should be no way you can address them because they are considered to be a security threat. So if "C: test.zip" contains nothing but entries with absolute path names, then .listFiles() should return an empty array, just as if the app would encounter an empty directory. Can you verify this behavior with TrueZIP 7.7.6 please or change the initial path to be relative? I suspect this is a Windows specific issue. Please add the ZIP file in question. You can attach it in the Operations menu on the left.
          Hide
          qforce added a comment - - edited

          Can you verify this behavior with TrueZIP 7.7.6 please or change the initial path to be relative?

          If I put the test file in the current directory and set the initial path to "test.zip", the program's output is still the test file itself:

          C:\Documents and Settings\Nam-Quang Tran\workspace\Test\test.zip

          TrueZIP 7.7.6 gives exactly the same output as TrueZIP 7.7.5.

          Please add the ZIP file in question. You can attach it in the Operations menu on the left.

          I can't see any attachment-related actions in the Operations menu. Maybe I don't have the permission to add files. Anyway, here are the contents of the file encoded in base64:

          UEsDBAoAAAAAACmGnUQAAAAAAAAAAAAAAAALAAAAQzovdGVzdC50eHRQSwECFAAKAAAAAAAphp1E
          AAAAAAAAAAAAAAAACwAAAAAAAAAAACAAAAAAAAAAQzovdGVzdC50eHRQSwUGAAAAAAEAAQA5AAAA
          KQAAAAAA
          
          Show
          qforce added a comment - - edited Can you verify this behavior with TrueZIP 7.7.6 please or change the initial path to be relative? If I put the test file in the current directory and set the initial path to "test.zip", the program's output is still the test file itself: C:\Documents and Settings\Nam-Quang Tran\workspace\Test\test.zip TrueZIP 7.7.6 gives exactly the same output as TrueZIP 7.7.5. Please add the ZIP file in question. You can attach it in the Operations menu on the left. I can't see any attachment-related actions in the Operations menu. Maybe I don't have the permission to add files. Anyway, here are the contents of the file encoded in base64: UEsDBAoAAAAAACmGnUQAAAAAAAAAAAAAAAALAAAAQzovdGVzdC50eHRQSwECFAAKAAAAAAAphp1E AAAAAAAAAAAAAAAACwAAAAAAAAAAACAAAAAAAAAAQzovdGVzdC50eHRQSwUGAAAAAAEAAQA5AAAA KQAAAAAA
          Hide
          qforce added a comment -

          Hi, is this bug report still going somewhere? Should I upload the test file elsewhere?

          Show
          qforce added a comment - Hi, is this bug report still going somewhere? Should I upload the test file elsewhere?
          Hide
          Christian Schlichtherle added a comment -

          Sorry, I am just very busy these days.

          Show
          Christian Schlichtherle added a comment - Sorry, I am just very busy these days.
          Hide
          qforce added a comment - - edited

          No problem. I just wanted to confirm that you weren't waiting for me to upload the test file, or something like that.

          Show
          qforce added a comment - - edited No problem. I just wanted to confirm that you weren't waiting for me to upload the test file, or something like that.

            People

            • Assignee:
              Christian Schlichtherle
              Reporter:
              qforce
            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: