From 869fdcbc15f7502317f105c11c650b9730d9bd6c Mon Sep 17 00:00:00 2001 From: Marian Koncek Date: Fri, 13 Oct 2023 14:56:46 +0200 Subject: [PATCH] CVE-2023-37460: Avoid override target symlink by standard file in AbstractUnArchiver Backported from https://github.com/codehaus-plexus/plexus-archiver/commit/54759839fbdf85caf8442076f001d5fd64e0dcb2 --- .../archiver/zip/AbstractZipUnArchiver.java | 15 +++------------ 1 file changed, 3 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java b/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java index d4c20aa..8f1e665 100644 --- a/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java +++ b/src/main/java/org/codehaus/plexus/archiver/zip/AbstractZipUnArchiver.java @@ -24,6 +24,8 @@ import java.io.InputStream; import java.io.OutputStream; import java.net.URL; +import java.nio.file.Files; +import java.nio.file.StandardCopyOption; import java.util.Date; import java.util.Enumeration; import org.codehaus.plexus.archiver.AbstractUnArchiver; @@ -32,7 +34,6 @@ import org.codehaus.plexus.archiver.util.ArchiveEntryUtils; import org.codehaus.plexus.components.io.resources.PlexusIoResource; import org.codehaus.plexus.util.FileUtils; -import org.codehaus.plexus.util.IOUtil; /** * @author Emmanuel Venisse @@ -227,17 +228,7 @@ protected void extractFile( final File srcF, final File dir, final InputStream c } else { - OutputStream out = null; - try - { - out = new FileOutputStream( f ); - - IOUtil.copy( compressedInputStream, out ); - } - finally - { - IOUtil.close( out ); - } + Files.copy( compressedInputStream, f.toPath(), StandardCopyOption.REPLACE_EXISTING ); } f.setLastModified( entryDate.getTime() ); -- 2.41.0