fixed ''Zip Path Traversal Vulnerability''

android/app/src/main/java/net/minetest/minetest/UnzipService.java

@@ -156,7 +156,7 @@ public class UnzipService extends IntentService {
 		int readLen;
 		byte[] readBuffer = new byte[16384];
 		try (FileInputStream fileInputStream = new FileInputStream(zipFile);
-		     ZipInputStream zipInputStream = new ZipInputStream(fileInputStream)) {
+			ZipInputStream zipInputStream = new ZipInputStream(fileInputStream)) {
 			ZipEntry ze;
 			while ((ze = zipInputStream.getNextEntry()) != null) {
 				if (ze.isDirectory()) {
@@ -165,8 +165,21 @@ public class UnzipService extends IntentService {
 					continue;
 				}
 				publishProgress(notificationBuilder, R.string.loading, 100 * ++per / size);
-				try (OutputStream outputStream = new FileOutputStream(
+				// Zip Path Traversal Vulnerability fix: https://support.google.com/faqs/answer/9294009
-						new File(userDataDirectory, ze.getName()))) {
+				
+				File new_file = new File(userDataDirectory, ze.getName());
+				
+				String canonicalPath = new_file.getCanonicalPath();
+
+				// check if canonical path is inside the target directory
+				
+				//if (!canonicalPath.startsWith(userDataDirectory)) {
+				if (!canonicalPath.startsWith(String.valueOf(userDataDirectory))) {
+					throw new IOException("Unzipping failed due to security issue!");
+				}
+				
+				//try (OutputStream outputStream = new FileOutputStream(new File(userDataDirectory, ze.getName()))) {
+				try (OutputStream outputStream = new FileOutputStream(new_file)) {
 					while ((readLen = zipInputStream.read(readBuffer)) != -1) {
 						outputStream.write(readBuffer, 0, readLen);
 					}