Please provide answers to the following questions to help us narrow down, reproduce, and fix the problem. Fill out one section and delete the others.

• Which version of WiX are you building with?

WiX v3.11.1

• Which version of Visual Studio are you building with (if any)?

N/A

• Which version of the WiX Toolset Visual Studio Extension are you building with (if any)?

N/A

• Which version of .NET are you building with?

Any

• If the problem occurs when installing your packages built with WiX, what is the version of Windows the package is running on?

N/A

• Describe the problem and the steps to reproduce it.

A maliciously crafted cabinet or zip file can be created with traversal paths in the archived file names. For example, ..\..\hackedu.dll. DTF's ArchiveFileStreamContext will concatenate the archived file path with a provided base directory, such that the traversal path can place the file outside the provided base directory and possibly overwriting the user's files. This is known as Zip Slip.

• Describe the behavior you expected and how it differed from the actual behavior.

DTF should not write files outside the extraction folder.

This issue was originally reported by Devin Casadey.

WIP