Merge pull request #22 from Ayesh/malicious-path-check-improvements

Improve path traversal detection for forward and backward slashes
pear · Jan 15, 2019 · d1d112c · d1d112c
2 parents ff716ca + 86f8afb
commit d1d112c
Showing 1 changed file with 2 additions and 5 deletions.
diff --git a/Archive/Tar.php b/Archive/Tar.php
@@ -1770,11 +1770,8 @@ private function _maliciousFilename($file)
         if (strpos($file, 'phar://') === 0) {
             return true;
         }
-        if (strpos($file, DIRECTORY_SEPARATOR . '..' . DIRECTORY_SEPARATOR) !== false) {
-            return true;
-        }
-        if (strpos($file, '..' . DIRECTORY_SEPARATOR) === 0) {
-            return true;
+        if (strpos($file, '../') !== false || strpos($file, '..\\') !== false) {
+                return true;
         }
         return false;
     }