Skip to content

Commit 13e35f2

Browse files
ctalkingtonctalkington
committed
core: sanitizing the dirpath could cause issues with certain path formats (ie ../) that may be valid otherwise.
1 parent 5f25116 commit 13e35f2

File tree

2 files changed

+10
-16
lines changed

2 files changed

+10
-16
lines changed

lib/core.js

Lines changed: 3 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -382,15 +382,9 @@ Archiver.prototype.directory = function(dirpath, destpath, data) {
382382

383383
this._pending++;
384384

385-
dirpath = util.sanitizePath(dirpath);
386-
dirpath = util.trailingSlashIt(dirpath);
387-
388-
if (typeof destpath === 'string') {
389-
destpath = util.sanitizePath(destpath);
390-
destpath = destpath === '' ? '' : util.trailingSlashIt(destpath);
391-
} else if (destpath === false) {
385+
if (destpath === false) {
392386
destpath = '';
393-
} else {
387+
} else if (typeof destpath !== 'string'){
394388
destpath = dirpath;
395389
}
396390

@@ -406,7 +400,7 @@ Archiver.prototype.directory = function(dirpath, destpath, data) {
406400
} else {
407401
results.forEach(function(file) {
408402
var entryData = util._.extend({}, data);
409-
entryData.name = destpath + file.relative;
403+
entryData.name = util.sanitizePath(destpath, file.relative);
410404
entryData.stats = file.stats;
411405

412406
self._append(file.path, entryData);

lib/util/index.js

Lines changed: 7 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -105,9 +105,6 @@ util.unixifyPath = function() {
105105
util.walkdir = function(dirpath, base, callback) {
106106
var results = [];
107107

108-
dirpath = util.sanitizePath(dirpath);
109-
dirpath = util.trailingSlashIt(dirpath);
110-
111108
if (typeof base === 'function') {
112109
callback = base;
113110
base = dirpath;
@@ -116,6 +113,7 @@ util.walkdir = function(dirpath, base, callback) {
116113
fs.readdir(dirpath, function(err, list) {
117114
var i = 0;
118115
var file;
116+
var filepath;
119117

120118
if (err) {
121119
return callback(err);
@@ -128,15 +126,17 @@ util.walkdir = function(dirpath, base, callback) {
128126
return callback(null, results);
129127
}
130128

131-
fs.stat(dirpath + file, function (err, stats) {
129+
filepath = path.join(dirpath, file);
130+
131+
fs.stat(filepath, function(err, stats) {
132132
results.push({
133-
path: dirpath + file,
134-
relative: path.relative(base, dirpath + file).replace(/\\/g, '/'),
133+
path: filepath,
134+
relative: path.relative(base, filepath).replace(/\\/g, '/'),
135135
stats: stats
136136
});
137137

138138
if (stats && stats.isDirectory()) {
139-
util.walkdir(dirpath + file, base, function(err, res) {
139+
util.walkdir(filepath, base, function(err, res) {
140140
results = results.concat(res);
141141
next();
142142
});

0 commit comments

Comments
 (0)