diff --git a/src/embedded_template.rs b/src/embedded_template.rs index 5596803..fd14c56 100644 --- a/src/embedded_template.rs +++ b/src/embedded_template.rs @@ -13,9 +13,9 @@ impl EmbeddedTemplate { /// Get the embedded template files pub fn new() -> Self { Self { - cargo_toml: include_str!("./template/crg.toml"), - build_rs: include_str!("./template/build.rs"), - main_rs: include_str!("./template/src/main.rs"), + cargo_toml: include_str!("template/crg.toml"), + build_rs: include_str!("template/build.rs"), + main_rs: include_str!("template/src/main.rs"), } } diff --git a/src/template/src/main.rs b/src/template/src/main.rs index a7e034a..b8793ab 100644 --- a/src/template/src/main.rs +++ b/src/template/src/main.rs @@ -89,13 +89,29 @@ fn extract_application(app_dir: &Path) -> Result<()> { for i in 0..archive.len() { let mut file = archive.by_index(i).context("Failed to read zip entry")?; - // Normalize the file path for the current platform - // Zip files use forward slashes, but we need proper path separators for the OS + // Get the file name from the zip entry let file_name = file.name(); - // Use Path::new to properly handle path separators across platforms - let normalized_path = Path::new(file_name); - let outpath = app_dir.join(normalized_path); + // Skip entries with invalid characters or paths + if file_name.is_empty() || file_name.contains('\0') { + continue; + } + + // Normalize path separators for the current platform + // Zip files always use forward slashes, convert to platform-specific separators + let normalized_name = if cfg!(windows) { + file_name.replace('/', "\\") + } else { + file_name.to_string() + }; + + // Create the output path using platform-specific path handling + let outpath = app_dir.join(&normalized_name); + + // Ensure the path is within the app directory (security check) + if !outpath.starts_with(app_dir) { + continue; + } if file_name.ends_with('/') { // Directory