Merge branch 'bugfix'

forki · forki · commit fc45db40b594 · 2019-12-05T09:35:12.000+01:00
# Conflicts:
#	RELEASE_NOTES.md
#	src/LockFileComparer/AssemblyInfo.fs
#	src/Paket.Bootstrapper/Properties/AssemblyInfo.cs
#	src/Paket.Core/AssemblyInfo.fs
#	src/Paket/AssemblyInfo.fs
diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md
@@ -1,6 +1,9 @@
-#### 6.0.0-alpha004 - 2019-12-04
+#### 6.0.0-alpha005 - 2019-12-05
 * Full .NET Core / SDK compatible version
 
+#### 5.240.1 - 2019-12-05
+* SECURITY: Check against zip leak in the workaround case of 5.240.0 - https://github.com/fsprojects/Paket/pull/3747
+
 #### 5.240.0 - 2019-12-04
 * WORKAROUND: Microsoft pushed couple of invalid zips to nuget.org this works around it - https://github.com/fsprojects/Paket/issues/3743
 
diff --git a/src/Paket.Core/Dependencies/NuGetCache.fs b/src/Paket.Core/Dependencies/NuGetCache.fs
@@ -534,11 +534,26 @@ let ExtractPackage(fileName:string, targetFolder, packageName:PackageName, versi
             with
             | exn ->
                 try
+                    let target = FileInfo(targetFolder).FullName |> normalizePath
                     traceWarnfn "Package couldn't be extracted to %s. Message: %s. Trying to extract files individually." targetFolder exn.Message
                     use archive = ZipFile.OpenRead fileName
                     for entry in archive.Entries do
-                        let destinationPath = Path.GetFullPath(Path.Combine(targetFolder, entry.FullName))
+                        let destinationPath = Path.GetFullPath(Path.Combine(targetFolder, entry.FullName.Trim([| '/'; '\\'|])))
+
                         let fi = FileInfo(destinationPath)
+                        let folder = fi.Directory.FullName |> normalizePath
+                        let isSubFolder =
+                            let comparer =
+                                if isLinux then
+                                    System.StringComparison.Ordinal
+                                else
+                                    System.StringComparison.OrdinalIgnoreCase
+
+                            folder.StartsWith(target,comparer)
+
+                        if not isSubFolder then
+                            raise (Exception(sprintf "Error during extraction of %s.%sPackage is corrupted or possible zip leak attac in entry \"%s\"." fileName Environment.NewLine entry.FullName))
+
                         if not fi.Directory.Exists then
                             fi.Directory.Create()
                         if fi.Exists then
