Merge branch 'add_ssl_tests' of github.com:alexandreFre/terraform-provider-statuscake

[github/fretlink/terraform-provider-statuscake.git] / vendor / github.com / hashicorp / go-getter / decompress_zip.go

diff --git a/vendor/github.com/hashicorp/go-getter/decompress_zip.go b/vendor/github.com/hashicorp/go-getter/decompress_zip.go
index a065c076ffe3a1f1d56b0418b794ddd4977ad664..0830f79143e790a4e78d98b97939434ebfc5eb82 100644 (file)
--- a/vendor/github.com/hashicorp/go-getter/decompress_zip.go
+++ b/vendor/github.com/hashicorp/go-getter/decompress_zip.go
@@ -9,7 +9,7 @@ import (
 )
 
 // ZipDecompressor is an implementation of Decompressor that can
-// decompress tar.gzip files.
+// decompress zip files.
 type ZipDecompressor struct{}
 
 func (d *ZipDecompressor) Decompress(dst, src string, dir bool) error {
@@ -42,6 +42,11 @@ func (d *ZipDecompressor) Decompress(dst, src string, dir bool) error {
        for _, f := range zipR.File {
                path := dst
                if dir {
+                       // Disallow parent traversal
+                       if containsDotDot(f.Name) {
+                               return fmt.Errorf("entry contains '..': %s", f.Name)
+                       }
+
                        path = filepath.Join(path, f.Name)
                }