in deployer/service/src/main/java/org/apache/karaf/cave/deployer/service/DeployerServiceImpl.java [296:326]
public void extract(String url, File baseDir) throws Exception {
InputStream is = null;
JarInputStream zipIs = null;
try {
is = new URI(url).toURL().openStream();
baseDir.mkdirs();
zipIs = new JarInputStream(is);
boolean scanForRepos = true;
ZipEntry entry = zipIs.getNextEntry();
while (entry != null) {
String path = entry.getName();
if (path.contains("..")) {
LOGGER.warn("zip entry {} contains .. relative path. For security reasons, it's not allowed.", path);
} else {
File destFile = new File(baseDir, path);
extract(zipIs, entry, destFile);
}
entry = zipIs.getNextEntry();
}
} finally {
if (zipIs != null) {
zipIs.close();
}
if (is != null) {
is.close();
}
}
}