Bug 958221 - plexus-utils: directory traversal in org.codehaus.plexus.util.Expand
Summary: plexus-utils: directory traversal in org.codehaus.plexus.util.Expand
Keywords:
Status: CLOSED RAWHIDE
Alias: None
Product: Fedora
Classification: Fedora
Component: plexus-utils
Version: 20
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
Assignee: Mikolaj Izdebski
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks: 958220 1009414
TreeView+ depends on / blocked
 
Reported: 2013-04-30 15:32 UTC by Florian Weimer
Modified: 2016-05-09 04:28 UTC (History)
3 users (show)

Fixed In Version:
Clone Of:
: 1009414 (view as bug list)
Environment:
Last Closed: 2015-05-14 10:31:33 UTC
Type: Bug
Embargoed:

Attachments (Terms of Use)

Description Florian Weimer 2013-04-30 15:32:49 UTC 
org.codehaus.plexus.util.Expand does not guard against directory traversal, but such protection is generally expected from unarchiving tools.

I think the class should just be deprecated and removed because there do not appear to be any users left (not even a test case).
Comment 1 Fedora End Of Life 2013-09-16 13:43:25 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 20 development cycle.
Changing version to '20'.

More information and reason for this action is here:
https://fedoraproject.org/wiki/BugZappers/HouseKeeping/Fedora20
Comment 2 Mikolaj Izdebski 2015-05-14 10:31:33 UTC 
This is feature request and as such it has been forwarded upstream: http://jira.codehaus.org/browse/PLXUTILS-178
Comment 3 Florian Weimer 2015-09-21 09:54:11 UTC 
Re-reported upstream:

https://github.com/codehaus-plexus/plexus-utils/issues/4
https://github.com/sonatype/plexus-utils/issues/20
Comment 4 Mikolaj Izdebski 2016-05-09 04:28:44 UTC 
Fixed in upstream version 3.0.24
Note You need to log in before you can comment on or make changes to this bug.