fix(font): prevent zipslip attacks

2025-01-29 12:01:07 -08:00 · 2024-07-14 20:41:10 +02:00 · 2024-07-14 20:41:10 +02:00 · 08c37417a2
parent 4aba8fa9db
commit 08c37417a2
1 changed files with 6 additions and 0 deletions
--- a/src/font/install.go
+++ b/src/font/install.go
@ -35,6 +35,12 @@ func InstallZIP(data []byte, user bool) ([]string, error) {
 	fonts := make(map[string]*Font)

 	for _, zf := range zipReader.File {
+		// prevent zipslip attacks
+		// https://security.snyk.io/research/zip-slip-vulnerability
+		if strings.Contains(zf.Name, "..") {
+			continue
+		}
+
 		rc, err := zf.Open()
 		if err != nil {
 			return families, err