continuum-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From eveni...@apache.org
Subject svn commit: r570537 - /maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java
Date Tue, 28 Aug 2007 19:32:39 GMT
Author: evenisse
Date: Tue Aug 28 12:32:39 2007
New Revision: 570537

URL: http://svn.apache.org/viewvc?rev=570537&view=rev
Log:
[CONTINUUM-1214] Fix file inclusion vulnerability
Submitted by: Tom Cort

Modified:
    maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java

Modified: maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java
URL: http://svn.apache.org/viewvc/maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java?rev=570537&r1=570536&r2=570537&view=diff
==============================================================================
--- maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java
(original)
+++ maven/continuum/trunk/continuum-core/src/main/java/org/apache/maven/continuum/DefaultContinuum.java
Tue Aug 28 12:32:39 2007
@@ -87,6 +87,8 @@
 import java.util.List;
 import java.util.Map;
 import java.util.Properties;
+import java.util.regex.Matcher;
+import java.util.regex.Pattern;
 
 /**
  * @author <a href="mailto:jason@maven.org">Jason van Zyl</a>
@@ -2186,11 +2188,19 @@
     public String getFileContent( int projectId, String directory, String filename )
         throws ContinuumException
     {
+        String relativePath = "\\.\\./"; // prevent users from using relative paths.
+        Pattern pattern = Pattern.compile( relativePath );
+        Matcher matcher = pattern.matcher( directory );
+        String filteredDirectory = matcher.replaceAll( "" );
+
+        matcher = pattern.matcher( filename );
+        String filteredFilename = matcher.replaceAll( "" );
+
         File workingDirectory = getWorkingDirectory( projectId );
 
-        File fileDirectory = new File( workingDirectory, directory );
+        File fileDirectory = new File( workingDirectory, filteredDirectory );
 
-        File userFile = new File( fileDirectory, filename );
+        File userFile = new File( fileDirectory, filteredFilename );
 
         try
         {



Mime
View raw message