commons-issues mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Nick Cross (JIRA)" <j...@apache.org>
Subject [jira] [Commented] (VFS-219) Zip file with embedded relative path throws exception
Date Mon, 04 Dec 2017 10:24:00 GMT

    [ https://issues.apache.org/jira/browse/VFS-219?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=16276590#comment-16276590
] 

Nick Cross commented on VFS-219:
--------------------------------

I am not convinced however the changing UriParser would solve it - perhaps instead skip over
the relevant entries with something like
diff --git a/commons-vfs2/src/main/java/org/apache/commons/vfs2/provider/zip/ZipFileSystem.java
b/commons-vfs2/src/main/java/org/apache/commons/vfs2/provider/zip/ZipFileSystem.java


{code:java}
index 90b0e9ff..9128a7fc 100644
--- a/commons-vfs2/src/main/java/org/apache/commons/vfs2/provider/zip/ZipFileSystem.java
+++ b/commons-vfs2/src/main/java/org/apache/commons/vfs2/provider/zip/ZipFileSystem.java
@@ -81,8 +81,17 @@ public class ZipFileSystem extends AbstractFileSystem {
             final Enumeration<? extends ZipEntry> entries = getZipFile().entries();
             while (entries.hasMoreElements()) {
                 final ZipEntry entry = entries.nextElement();
-                final AbstractFileName name = (AbstractFileName) getFileSystemManager().resolveName(getRootName(),
+                final AbstractFileName name;
+
+                try {
+                 name = (AbstractFileName) getFileSystemManager().resolveName(getRootName(),
                         UriParser.encode(entry.getName()));
+                }
+                catch (FileSystemException e)
+                {
+                    LOG.debug ("Unable to create file for name " + entry.getName (), e);
+                    continue;
+                }

{code}


> Zip file with embedded relative path throws exception
> -----------------------------------------------------
>
>                 Key: VFS-219
>                 URL: https://issues.apache.org/jira/browse/VFS-219
>             Project: Commons VFS
>          Issue Type: Bug
>    Affects Versions: 1.0
>            Reporter: Zachary Bedell
>            Priority: Minor
>
> Attempting to open a ZIP file with an embedded relative path causes an exception.
> To create a sample zip:
> mkdir dir
> echo "foo" > dir/test.txt
> mkdir test
> cd test
> zip test.zip ../dir/test.txt
> test.zip will now contain a path with a relative path that ascends above the root of
the zip.  unzip -l output will look something like:
>   4  10-15-05 12:24   ../dir/test.txt
> The ZIP was created with InfoZIP: Zip 2.32 (June 19th 2006).
> When the file is accessed programatically with:
>   VFS.getManager().resolveFile("zip:///path/to/test/test.zip");
> The following exception occurs:
> org.apache.commons.vfs.FileSystemException: Invalid relative file name.
> 	at org.apache.commons.vfs.provider.UriParser.normalisePath(UriParser.java:154)
> 	at org.apache.commons.vfs.impl.DefaultFileSystemManager.resolveName(DefaultFileSystemManager.java:731)
> 	at org.apache.commons.vfs.impl.DefaultFileSystemManager.resolveName(DefaultFileSystemManager.java:684)
> 	at org.apache.commons.vfs.provider.zip.ZipFileSystem.init(ZipFileSystem.java:88)
> 	at org.apache.commons.vfs.provider.AbstractVfsContainer.addComponent(AbstractVfsContainer.java:53)
> 	at org.apache.commons.vfs.provider.AbstractFileProvider.addFileSystem(AbstractFileProvider.java:96)
> 	at org.apache.commons.vfs.provider.AbstractLayeredFileProvider.createFileSystem(AbstractLayeredFileProvider.java:80)
> 	at org.apache.commons.vfs.provider.AbstractLayeredFileProvider.findFile(AbstractLayeredFileProvider.java:59)
> 	at org.apache.commons.vfs.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:641)
> 	at org.apache.commons.vfs.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:602)
> 	at org.apache.commons.vfs.impl.DefaultFileSystemManager.resolveFile(DefaultFileSystemManager.java:570)
> UriParser.normalisePath() contains the following code:
> if (elemLen == 1 && path.charAt(startElem) == '.')
> {
> 	// A '.' element - axe it
> 	path.delete(startElem, endElem + 1);
> 	maxlen = path.length();
> 	continue;
> }
> if (elemLen == 2 && path.charAt(startElem) == '.'
> 		&& path.charAt(startElem + 1) == '.')
> {
> 	// A '..' element - remove the previous element
> 	if (startElem == startFirstElem)
> 	{
> 		// Previous element is missing
> 		throw new FileSystemException(
> 				"vfs.provider/invalid-relative-path.error");
> 	}
> 	// Find start of previous element
> 	int pos = startElem - 2;
> 	for (; pos >= 0 && path.charAt(pos) != SEPARATOR_CHAR; pos--)
> 	{
> 	}
> 	startElem = pos + 1;
> 	path.delete(startElem, endElem + 1);
> 	maxlen = path.length();
> 	continue;
> }
> // A regular element
> startElem = endElem + 1;
> }
> 		
> I think it would be appropriate to change the throw in the middle to 'continue' as in
the case for a single dot above.



--
This message was sent by Atlassian JIRA
(v6.4.14#64029)

Mime
View raw message