From 9d11781c0812abec1ead8b01a82986568e290939 Mon Sep 17 00:00:00 2001
From: trungPa <trungpaaa@gmail.com>
Date: Wed, 3 Mar 2021 11:44:28 +0700
Subject: [PATCH] Prevent extracting zip entries outside of destination path

---
 .../springframework/boot/jarmode/layertools/ExtractCommand.java | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java b/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java
index f3a49211288d..0e34c2936419 100644
--- a/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java
+++ b/spring-boot-project/spring-boot-tools/spring-boot-jarmode-layertools/src/main/java/org/springframework/boot/jarmode/layertools/ExtractCommand.java
@@ -88,7 +88,7 @@ protected void run(Map<Option, String> options, List<String> parameters) {
 	private void write(ZipInputStream zip, ZipEntry entry, File destination) throws IOException {
 		String path = StringUtils.cleanPath(entry.getName());
 		File file = new File(destination, path);
-		if (file.getAbsolutePath().startsWith(destination.getAbsolutePath())) {
+		if (file.getCanonicalPath().startsWith(destination.getCanonicalPath() + File.separator)) {
 			mkParentDirs(file);
 			try (OutputStream out = new FileOutputStream(file)) {
 				StreamUtils.copy(zip, out);