Disallow leading / in zip archives

2022-08-18 16:45:15 +02:00
parent 3248bd74d1
commit acc07ffa5d
1 changed files with 1 additions and 1 deletions
--- a/app/controllers/submissions_controller.rb
+++ b/app/controllers/submissions_controller.rb
@ -27,7 +27,7 @@ class SubmissionsController < ApplicationController

    stringio = Zip::OutputStream.write_buffer do |zio|
      @files.each do |file|
-        zio.put_next_entry(file.filepath)
+        zio.put_next_entry(file.filepath.delete_prefix('/'))
        zio.write(file.content.presence || file.native_file.read)
      end