diff --git a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java index 681c506b1b..575d0f38e2 100644 --- a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java +++ b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java @@ -159,6 +159,9 @@ public static void zip(String parentDir, String[] inputFiles, String outputFile) TarArchiveEntry entry = null; while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) { final File outputFile = new File(outputDir, entry.getName()); + if (!outputFile.toPath().startsWith(outputDir.toPath())) { + throw new IOException("Untarred file is not under the output directory"); + } if (entry.isDirectory()) { if (flatten) { // no sub-directories