I've attached a fix for both issues. I've tested the fix thoroughly, confirmed it does not break functionality, and made sure it resolves the vulnerability, even when doing all sorts of tricks with "." and ".." entries in the path of a file added to a .jar archive.
I've attached a fix for both issues. I've tested the fix thoroughly, confirmed it does not break functionality, and made sure it resolves the vulnerability, even when doing all sorts of tricks with "." and ".." entries in the path of a file added to a .jar archive.