v7.4.0-beta.0

Try fix safezip for google play
v7.3.8
2025-09-18 00:56:10 +08:00 · 2022-01-19 21:30:56 +08:00 · 2022-01-19 21:29:35 +08:00 · 2021-11-22 18:12:02 +08:00 · 2021-11-11 18:46:48 +08:00 · 2021-11-11 18:09:21 +08:00
5 changed files with 17 additions and 45 deletions
--- a/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
+++ b/android/src/main/java/cn/reactnative/modules/update/SafeZipFile.java
@@ -16,40 +16,6 @@ public class SafeZipFile extends ZipFile {
        super(file);
    }

-    @Override
-    public Enumeration<? extends ZipEntry> entries() {
-        return new SafeZipEntryIterator(super.entries());
-    }
-
-    private static class SafeZipEntryIterator implements Enumeration<ZipEntry> {
-
-        final private Enumeration<? extends ZipEntry> delegate;
-
-        private SafeZipEntryIterator(Enumeration<? extends ZipEntry> delegate) {
-            this.delegate = delegate;
-        }
-
-        @Override
-        public boolean hasMoreElements() {
-            return delegate.hasMoreElements();
-        }
-
-        @Override
-        public ZipEntry nextElement() {
-            ZipEntry entry = delegate.nextElement();
-            if (null != entry) {
-                String name = entry.getName();
-                /**
-                 * avoid ZipperDown
-                 */
-                if (null != name && (name.contains("../") || name.contains("..\\"))) {
-                    throw new SecurityException("illegal entry: " + entry.getName());
-                }
-            }
-            return entry;
-        }
-    }
-
    public void unzipToFile(ZipEntry entry, File output) throws IOException {
        InputStream inputStream = null;
        try {
@@ -63,6 +29,11 @@ public class SafeZipFile extends ZipFile {
    }

    private void writeOutInputStream(File file, InputStream inputStream) throws IOException {
+        // https://support.google.com/faqs/answer/9294009
+        String canonicalPath = file.getCanonicalPath();
+        if (!canonicalPath.startsWith(UpdateContext.getRootDir())) {
+            throw new SecurityException("illegal entry: " + file.getName());
+        }
        BufferedOutputStream output = null;
        try {
            output = new BufferedOutputStream(
--- a/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java
+++ b/android/src/main/java/cn/reactnative/modules/update/UpdateContext.java
@@ -19,13 +19,14 @@ import java.io.File;

 public class UpdateContext {
    private Context context;
-    private File rootDir;
+    private static File rootDir;
    private Executor executor;

    public static boolean DEBUG = false;
    private static ReactInstanceManager mReactInstanceManager;
    private static boolean isUsingBundleUrl = false;

+
    public UpdateContext(Context context) {
        this.context = context;
        this.executor = Executors.newSingleThreadExecutor();
@@ -49,7 +50,7 @@ public class UpdateContext {
        }
    }

-    public String getRootDir() {
+    public static String getRootDir() {
        return rootDir.toString();
    }

--- a/lib/simpleUpdate.js
+++ b/lib/simpleUpdate.js
@@ -36,7 +36,7 @@ export function simpleUpdate(WrappedComponent) {
          this.checkUpdate();
        }
        componentWillUnmount() {
-          this.stateListener.remove();
+          this.stateListener && this.stateListener.remove();
        }
        doUpdate = async (info) => {
          try {
@@ -44,7 +44,7 @@ export function simpleUpdate(WrappedComponent) {
            if (!hash) {
              return;
            }
-            this.stateListener.remove();
+            this.stateListener && this.stateListener.remove();
            Alert.alert('提示', '下载完毕，是否立即更新?', [
              {
                text: '以后再说',
@@ -94,7 +94,7 @@ export function simpleUpdate(WrappedComponent) {
                },
              },
            ]);
-          } else {
+          } else if (info.update) {
            Alert.alert(
              '提示',
              '检查到新的版本' + info.name + ',是否下载?\n' + info.description,
--- a/package.json
+++ b/package.json
@@ -1,6 +1,6 @@
 {
  "name": "react-native-update",
-  "version": "7.3.3",
+  "version": "7.4.0-beta.0",
  "description": "react-native hot update",
  "main": "lib/index.js",
  "scripts": {
@@ -28,6 +28,6 @@
  },
  "homepage": "https://github.com/reactnativecn/react-native-pushy#readme",
  "dependencies": {
-    "nanoid": "^3.1.28"
+    "nanoid": "^3.1.30"
  }
 }
--- a/yarn.lock
+++ b/yarn.lock
@@ -2,7 +2,7 @@
 # yarn lockfile v1


-nanoid@^3.1.28:
-  version "3.1.28"
-  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.28.tgz#3c01bac14cb6c5680569014cc65a2f26424c6bd4"
-  integrity sha512-gSu9VZ2HtmoKYe/lmyPFES5nknFrHa+/DT9muUFWFMi6Jh9E1I7bkvlQ8xxf1Kos9pi9o8lBnIOkatMhKX/YUw==
+nanoid@^3.1.30:
+  version "3.1.30"
+  resolved "https://registry.yarnpkg.com/nanoid/-/nanoid-3.1.30.tgz#63f93cc548d2a113dc5dfbc63bfa09e2b9b64362"
+  integrity sha512-zJpuPDwOv8D2zq2WRoMe1HsfZthVewpel9CAvTfc/2mBD1uUT/agc5f7GHGWXlYkFvi1mVxe4IjvP2HNrop7nQ==
Author	SHA1	Message	Date
sunnylqm	d76e8052f5	v7.4.0-beta.0	2022-01-19 21:30:56 +08:00
sunnylqm	3ebf6e95c9	Try fix safezip for google play	2022-01-19 21:29:35 +08:00
sunnylqm	2ae4180840	v7.3.8	2021-11-22 18:12:02 +08:00
sunnylqm	ec0a9e0a3e	Revert "Update pod script path" This reverts commit `fddae3d79a`.	2021-11-11 18:46:48 +08:00
sunnylqm	b34b70ed01	v7.3.6	2021-11-11 18:09:21 +08:00
sunnylqm	fddae3d79a	Update pod script path	2021-11-11 18:08:49 +08:00
sunnylqm	7fc0d717d5	v7.3.5	2021-11-10 22:31:56 +08:00
sunnylqm	686209d50e	Check stateListener	2021-11-10 22:31:23 +08:00
sunnylqm	80b0401b02	v7.3.4	2021-11-04 17:53:05 +08:00
sunnylqm	786d32d92f	Fix simpleUpdate	2021-11-04 17:52:30 +08:00