From 93175896ab7cc31266df0903490362ba37404676 Mon Sep 17 00:00:00 2001
From: Kevin Hendricks <kevin.b.hendricks@icloud.com>
Date: Wed, 26 Jun 2019 14:02:49 -0400
Subject: [PATCH] try to make extracting epubs safer

---
 src/zipios/src/zipextraction.cpp | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/src/zipios/src/zipextraction.cpp b/src/zipios/src/zipextraction.cpp
index 8541625..0e238c8 100644
--- a/src/zipios/src/zipextraction.cpp
+++ b/src/zipios/src/zipextraction.cpp
@@ -73,7 +73,17 @@ void ExtractZipToFolder( const fs::path &path_to_zip, const fs::path &path_to_fo
     {
         boost::scoped_ptr< std::istream > stream( zip.getInputStream( *it ) );
 
-        fs::path new_file_path = path_to_folder / (*it)->getName();
+        // for security reasons need to force any relative path
+        // to be inside the destination folder and not anyplace else
+        // do this by removing any and all upward relative path segments as
+	// epubs are not general zip archives used for backup
+	string azipfilepath = (*it)->getName();
+        size_t index = azipfilepath.find("../", 0);
+        while(index != std::string::npos) {
+	    azipfilepath.replace(index, 3,"");
+	    index = azipfilepath.find("../", 0);
+	}
+        fs::path new_file_path = path_to_folder / azipfilepath;
 
         CreateFilepath( new_file_path );
         WriteEntryToFile( *stream, new_file_path );