Allow tilde in zip entry names

Use absolute_path rather than expand_path to allow tilde to pass through unchanged. Otherwise, we try to expand it to a home directory.
rubyzip · Mar 22, 2019 · ad15c3c · ad15c3c
1 parent 8ece5c9
commit ad15c3c
Show file tree

Hide file tree

Showing 3 changed files with 8 additions and 1 deletion.
diff --git a/lib/zip/entry.rb b/lib/zip/entry.rb
@@ -118,7 +118,7 @@ def name_safe?
       return false unless cleanpath.relative?
       root = ::File::SEPARATOR
       naive_expanded_path = ::File.join(root, cleanpath.to_s)
-      cleanpath.expand_path(root).to_s == naive_expanded_path
+      ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
     end
 
     def local_entry_offset #:nodoc:all

diff --git a/test/data/path_traversal/tilde.zip b/test/data/path_traversal/tilde.zip
diff --git a/test/path_traversal_test.rb b/test/path_traversal_test.rb
@@ -131,4 +131,11 @@ def test_entry_name_with_relative_symlink
       refute File.exist?('/tmp/file.txt')
     end
   end
+
+  def test_entry_name_with_tilde
+    in_tmpdir do
+      extract_path_traversal_zip 'tilde.zip'
+      assert File.exist?('~tilde~')
+    end
+  end
 end