rubyzip 1.2.2 → 1.2.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 898367588fc593bddd565ee8626c75cfbcddfce2
-  data.tar.gz: 24d90fd344a11d8cf3b8098c459eb2c765e933e7
+SHA256:
+  metadata.gz: 5bed33b4d4b864f1ad4d1a3483022c13b8079a607b2e4afc5b3828b9267f04c8
+  data.tar.gz: 0acb47d50691a266b1abc45e9b9c2abe5ac2310f38706ef5905bf53723e1f26d
 SHA512:
-  metadata.gz: 4f00c8c74720ba3bf103596601400f57e89d03cdd90b4423debd4c96ed6150a3db0fa8f7407201657cf6a7ee0b2e6586c7a284e1398dd1cf44c523799e1b25be
-  data.tar.gz: 3a434114b84d7b109e26aec4821b395ad100efda591ad004656c6b5fd8cdba3740e50c171409c726a9770996e0815ef0324c87063d975024642c6f89ba56377e
+  metadata.gz: 64da2a44d5a0b167ad81023554552f7cf101a6e5eb380ef356abaeb3c97d40e6dc6a5013b3fbfa615823833106bb31c8766e38b81d378b685a4eb680f5cc4ab5
+  data.tar.gz: 7f8157731ecfbb4497e97dcaff38bb6f259c5b18f070e04d5706170a999c7e0d41a32487fbf0e297836f60669f6d0a3e0cbbead7f5c2a06b56f651285786163e

data/lib/zip/entry.rb

@@ -1,3 +1,4 @@
+require 'pathname'
 module Zip
   class Entry
     STORED   = 0
@@ -117,7 +118,7 @@ module Zip
       return false unless cleanpath.relative?
       root = ::File::SEPARATOR
       naive_expanded_path = ::File.join(root, cleanpath.to_s)
-      cleanpath.expand_path(root).to_s == naive_expanded_path
+      ::File.absolute_path(cleanpath.to_s, root) == naive_expanded_path
     end
 
     def local_entry_offset #:nodoc:all
@@ -275,10 +276,10 @@ module Zip
       zip64 = @extra['Zip64']
       [::Zip::LOCAL_ENTRY_SIGNATURE,
        @version_needed_to_extract, # version needed to extract
-       @gp_flags, # @gp_flags                  ,
+       @gp_flags, # @gp_flags
        @compression_method,
-       @time.to_binary_dos_time, # @last_mod_time              ,
-       @time.to_binary_dos_date, # @last_mod_date              ,
+       @time.to_binary_dos_time, # @last_mod_time
+       @time.to_binary_dos_date, # @last_mod_date
        @crc,
        zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
        zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -432,11 +433,11 @@ module Zip
         @header_signature,
         @version, # version of encoding software
         @fstype, # filesystem type
-        @version_needed_to_extract, # @versionNeededToExtract           ,
-        @gp_flags, # @gp_flags                          ,
+        @version_needed_to_extract, # @versionNeededToExtract
+        @gp_flags, # @gp_flags
         @compression_method,
-        @time.to_binary_dos_time, # @last_mod_time                      ,
-        @time.to_binary_dos_date, # @last_mod_date                      ,
+        @time.to_binary_dos_time, # @last_mod_time
+        @time.to_binary_dos_date, # @last_mod_date
         @crc,
         zip64 && zip64.compressed_size ? 0xFFFFFFFF : @compressed_size,
         zip64 && zip64.original_size ? 0xFFFFFFFF : @size,
@@ -602,7 +603,7 @@ module Zip
         get_input_stream do |is|
           set_extra_attributes_on_path(dest_path)
 
-          buf = ''
+          buf = ''.dup
           while (buf = is.sysread(::Zip::Decompressor::CHUNK_SIZE, buf))
             os << buf
           end

data/lib/zip/extra_field.rb

@@ -26,7 +26,7 @@ module Zip
     end
 
     def create_unknown_item
-      s = ''
+      s = ''.dup
       class << s
         alias_method :to_c_dir_bin, :to_s
         alias_method :to_local_bin, :to_s

data/lib/zip/inflater.rb

@@ -3,7 +3,7 @@ module Zip
     def initialize(input_stream, decrypter = NullDecrypter.new)
       super(input_stream)
       @zlib_inflater           = ::Zlib::Inflate.new(-Zlib::MAX_WBITS)
-      @output_buffer           = ''
+      @output_buffer           = ''.dup
       @has_returned_empty_string = false
       @decrypter = decrypter
     end

data/lib/zip/version.rb

@@ -1,3 +1,3 @@
 module Zip
-  VERSION = '1.2.2'
+  VERSION = '1.2.3'
 end

data/test/path_traversal_test.rb

@@ -131,4 +131,11 @@ class PathTraversalTest < MiniTest::Test
       refute File.exist?('/tmp/file.txt')
     end
   end
+
+  def test_entry_name_with_tilde
+    in_tmpdir do
+      extract_path_traversal_zip 'tilde.zip'
+      assert File.exist?('~tilde~')
+    end
+  end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: rubyzip
 version: !ruby/object:Gem::Version
-  version: 1.2.2
+  version: 1.2.3
 platform: ruby
 authors:
 - Alexander Simonov
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-08-31 00:00:00.000000000 Z
+date: 2019-05-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rake
@@ -164,6 +164,7 @@ files:
 - test/data/path_traversal/jwilk/relative2.zip
 - test/data/path_traversal/jwilk/symlink.zip
 - test/data/path_traversal/relative1.zip
+- test/data/path_traversal/tilde.zip
 - test/data/path_traversal/tuzovakaoff/README.md
 - test/data/path_traversal/tuzovakaoff/absolutepath.zip
 - test/data/path_traversal/tuzovakaoff/symlink.zip
@@ -226,8 +227,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubyforge_project: 
-rubygems_version: 2.6.13
+rubygems_version: 3.0.1
 signing_key: 
 specification_version: 4
 summary: rubyzip is a ruby module for reading and writing zip files
@@ -280,6 +280,7 @@ test_files:
 - test/data/rubycode2.zip
 - test/data/mimetype
 - test/data/zipWithEncryption.zip
+- test/data/path_traversal/tilde.zip
 - test/data/path_traversal/Makefile
 - test/data/path_traversal/relative1.zip
 - test/data/path_traversal/jwilk/dirsymlink.zip