3 files changed, 58 insertions, 3 deletions

diff --git a/lib/stdlib/test/edlin_expand_SUITE.erl b/lib/stdlib/test/edlin_expand_SUITE.erl
index ccffa2e244..718d91c6a3 100644
--- a/lib/stdlib/test/edlin_expand_SUITE.erl
+++ b/lib/stdlib/test/edlin_expand_SUITE.erl
@@ -21,7 +21,7 @@
 -export([all/0, suite/0,groups/0,init_per_suite/1, end_per_suite/1, 
 	 init_per_testcase/2, end_per_testcase/2,
 	 init_per_group/2,end_per_group/2]).
--export([normal/1, quoted_fun/1, quoted_module/1, quoted_both/1]).
+-export([normal/1, quoted_fun/1, quoted_module/1, quoted_both/1, erl_1152/1]).
 
 -include_lib("common_test/include/ct.hrl").
 
@@ -36,7 +36,7 @@ suite() ->
      {timetrap,{minutes,1}}].
 
 all() -> 
-    [normal, quoted_fun, quoted_module, quoted_both].
+    [normal, quoted_fun, quoted_module, quoted_both, erl_1152].
 
 groups() -> 
     [].
@@ -149,5 +149,12 @@ quoted_both(Config) when is_list(Config) ->
     {yes,"weird-fun-name'()",[]} = do_expand("'ExpandTestCaps1':'#"),
     ok.
 
+erl_1152(Config) when is_list(Config) ->
+    "\n"++"foo"++"    "++[1089]++_ = do_format(["foo",[1089]]),
+    ok.
+
 do_expand(String) ->
     edlin_expand:expand(lists:reverse(String)).
+
+do_format(StringList) ->
+    lists:flatten(edlin_expand:format_matches(StringList)).
diff --git a/lib/stdlib/test/zip_SUITE.erl b/lib/stdlib/test/zip_SUITE.erl
index 2add5a39a2..7d90795c9e 100644
--- a/lib/stdlib/test/zip_SUITE.erl
+++ b/lib/stdlib/test/zip_SUITE.erl
@@ -25,6 +25,7 @@
          zip_to_binary/1,
          unzip_options/1, zip_options/1, list_dir_options/1, aliases/1,
          openzip_api/1, zip_api/1, open_leak/1, unzip_jar/1,
+	 unzip_traversal_exploit/1,
          compress_control/1,
 	 foldl/1]).
 
@@ -38,7 +39,8 @@ all() ->
     [borderline, atomic, bad_zip, unzip_from_binary,
      unzip_to_binary, zip_to_binary, unzip_options,
      zip_options, list_dir_options, aliases, openzip_api,
-     zip_api, open_leak, unzip_jar, compress_control, foldl].
+     zip_api, open_leak, unzip_jar, compress_control, foldl,
+     unzip_traversal_exploit].
 
 groups() -> 
     [].
@@ -377,6 +379,52 @@ unzip_options(Config) when is_list(Config) ->
     0 = delete_files([Subdir]),
     ok.
 
+%% Test that unzip handles directory traversal exploit (OTP-13633)
+unzip_traversal_exploit(Config) ->
+    DataDir = proplists:get_value(data_dir, Config),
+    PrivDir = proplists:get_value(priv_dir, Config),
+    ZipName = filename:join(DataDir, "exploit.zip"),
+
+    %% $ zipinfo -1 test/zip_SUITE_data/exploit.zip 
+    %% clash.txt
+    %% ../clash.txt
+    %% ../above.txt
+    %% subdir/../in_root_dir.txt
+
+    %% create a temp directory
+    SubDir = filename:join(PrivDir, "exploit_test"),
+    ok = file:make_dir(SubDir),
+    
+    ClashFile = filename:join(SubDir,"clash.txt"),
+    AboveFile = filename:join(SubDir,"above.txt"),
+    RelativePathFile = filename:join(SubDir,"subdir/../in_root_dir.txt"),
+
+    %% unzip in SubDir
+    {ok, [ClashFile, ClashFile, AboveFile, RelativePathFile]} =
+	zip:unzip(ZipName, [{cwd,SubDir}]),
+
+    {ok,<<"This file will overwrite other file.\n">>} =
+	file:read_file(ClashFile),
+    {ok,_} = file:read_file(AboveFile),
+    {ok,_} = file:read_file(RelativePathFile),
+
+    %% clean up
+    delete_files([SubDir]),
+    
+     %% create the temp directory again
+    ok = file:make_dir(SubDir),
+
+    %% unzip in SubDir
+    {ok, [ClashFile, AboveFile, RelativePathFile]} =
+	zip:unzip(ZipName, [{cwd,SubDir},keep_old_files]),
+
+    {ok,<<"This is the original file.\n">>} =
+	file:read_file(ClashFile),
+   
+    %% clean up
+    delete_files([SubDir]),
+    ok.
+
 %% Test unzip a jar file (OTP-7382).
 unzip_jar(Config) when is_list(Config) ->
     DataDir = proplists:get_value(data_dir, Config),
diff --git a/lib/stdlib/test/zip_SUITE_data/exploit.zip b/lib/stdlib/test/zip_SUITE_data/exploit.zip
new file mode 100644
index 0000000000..afb8dbd192
--- /dev/null
+++ b/lib/stdlib/test/zip_SUITE_data/exploit.zip