Merge remote-tracking branch 'remotes/origin/MC-17582' into owls-2.2.10-delivery

Author: danmooney2

app/code/Magento/ImportExport/Model/Import/Source/Zip.php

@@ -32,6 +32,12 @@ public function __construct(
             throw new ValidatorException(__('Sorry, but the data is invalid or the file is not uploaded.'));
         }
         $directory->delete($directory->getRelativePath($file));
-        parent::__construct($csvFile, $directory, $options);
+
+        try {
+            parent::__construct($csvFile, $directory, $options);
+        } catch (\LogicException $e) {
+            $directory->delete($directory->getRelativePath($csvFile));
+            throw $e;
+        }
     }
 }

lib/internal/Magento/Framework/Archive/Zip.php

@@ -54,7 +54,8 @@ public function unpack($source, $destination)
         $zip = new \ZipArchive();
         if ($zip->open($source) === true) {
             $filename = $this->filterRelativePaths($zip->getNameIndex(0) ?: '');
-            if ($filename) {
+            if ($filename && !preg_match('#[:"*?|<>%]#', $filename)) {
+                // extract first entry in zip file to destination directory
                 $zip->extractTo(dirname($destination), $filename);
                 rename(dirname($destination).'/'.$filename, $destination);
             } else {