From c1d6d0d4a1bc6215d8861a345503f1a1c951a49a Mon Sep 17 00:00:00 2001 From: PJ Fanning Date: Tue, 9 Jul 2024 09:46:46 +0000 Subject: make validateEntryNames use case insensitive check git-svn-id: https://svn.apache.org/repos/asf/poi/trunk@1919058 13f79535-47bb-0310-9956-ffa450edef68 --- .../poi/openxml4j/util/ZipInputStreamZipEntrySource.java | 9 ++++++++- .../main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java | 10 ++++++++-- 2 files changed, 16 insertions(+), 3 deletions(-) (limited to 'poi-ooxml/src') diff --git a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipInputStreamZipEntrySource.java b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipInputStreamZipEntrySource.java index 676a9a3c0c..5bc09a73e3 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipInputStreamZipEntrySource.java +++ b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipInputStreamZipEntrySource.java @@ -22,6 +22,7 @@ import java.util.Collections; import java.util.Enumeration; import java.util.HashMap; import java.util.HashSet; +import java.util.Locale; import java.util.Map; import java.util.Set; @@ -90,6 +91,8 @@ public class ZipInputStreamZipEntrySource implements ZipEntrySource { * into memory, and don't close (since POI 4.0.1) the source stream. * We'll then eat lots of memory, but be able to * work with the entries at-will. + * @throws IOException if an error occurs while reading the zip entries + * @throws InvalidZipException if the input file contains an entry with an empty name or more than 1 entry with the same name * @see #setThresholdBytesForTempFiles */ public ZipInputStreamZipEntrySource(ZipArchiveThresholdInputStream inp) throws IOException { @@ -100,8 +103,12 @@ public class ZipInputStreamZipEntrySource implements ZipEntrySource { break; } String name = zipEntry.getName(); + if (name == null || name.isEmpty()) { + throw new InvalidZipException("Input file contains an entry with an empty name"); + } + name = name.toLowerCase(Locale.ROOT); if (filenames.contains(name)) { - throw new InvalidZipException("Input file contains more than 1 entry with the name " + name); + throw new InvalidZipException("Input file contains more than 1 entry with the name " + zipEntry.getName()); } filenames.add(name); zipEntries.put(name, new ZipArchiveFakeEntry(zipEntry, inp)); diff --git a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java index 233661f5de..f022737f69 100644 --- a/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java +++ b/poi-ooxml/src/main/java/org/apache/poi/openxml4j/util/ZipSecureFile.java @@ -21,6 +21,7 @@ import java.io.File; import java.io.IOException; import java.util.Enumeration; import java.util.HashSet; +import java.util.Locale; import java.util.Set; import org.apache.commons.compress.archivers.zip.ZipArchiveEntry; @@ -257,9 +258,14 @@ public class ZipSecureFile extends ZipFile { final Enumeration en = getEntries(); final Set filenames = new HashSet<>(); while (en.hasMoreElements()) { - String name = en.nextElement().getName(); + final ZipArchiveEntry entry = en.nextElement(); + String name = entry.getName(); + if (name == null || name.isEmpty()) { + throw new InvalidZipException("Input file contains an entry with an empty name"); + } + name = name.toLowerCase(Locale.ROOT); if (filenames.contains(name)) { - throw new InvalidZipException("Input file contains more than 1 entry with the name " + name); + throw new InvalidZipException("Input file contains more than 1 entry with the name " + entry.getName()); } filenames.add(name); } -- cgit v1.2.3