From commits-return-52260-archive-asf-public=cust-asf.ponee.io@cxf.apache.org  Wed Sep  4 17:11:45 2019
Return-Path: <commits-return-52260-archive-asf-public=cust-asf.ponee.io@cxf.apache.org>
X-Original-To: archive-asf-public@cust-asf.ponee.io
Delivered-To: archive-asf-public@cust-asf.ponee.io
Received: from mail.apache.org (hermes.apache.org [207.244.88.153])
	by mx-eu-01.ponee.io (Postfix) with SMTP id C6B321804BB
	for <archive-asf-public@cust-asf.ponee.io>; Wed,  4 Sep 2019 19:11:44 +0200 (CEST)
Received: (qmail 45276 invoked by uid 500); 4 Sep 2019 22:45:37 -0000
Mailing-List: contact commits-help@cxf.apache.org; run by ezmlm
Precedence: bulk
List-Help: <mailto:commits-help@cxf.apache.org>
List-Unsubscribe: <mailto:commits-unsubscribe@cxf.apache.org>
List-Post: <mailto:commits@cxf.apache.org>
List-Id: <commits.cxf.apache.org>
Reply-To: dev@cxf.apache.org
Delivered-To: mailing list commits@cxf.apache.org
Received: (qmail 45263 invoked by uid 99); 4 Sep 2019 22:45:37 -0000
Received: from ec2-52-202-80-70.compute-1.amazonaws.com (HELO gitbox.apache.org) (52.202.80.70)
    by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 04 Sep 2019 22:45:37 +0000
Received: by gitbox.apache.org (ASF Mail Server at gitbox.apache.org, from userid 33)
	id E773D80642; Wed,  4 Sep 2019 17:11:43 +0000 (UTC)
Date: Wed, 04 Sep 2019 17:11:43 +0000
To: "commits@cxf.apache.org" <commits@cxf.apache.org>
Subject: [cxf] branch 3.3.x-fixes updated: CXF-8101 - Strip file path from
 Content-Disposition filename
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
Message-ID: <156761710376.24488.3207157998416469128@gitbox.apache.org>
From: coheigea@apache.org
X-Git-Host: gitbox.apache.org
X-Git-Repo: cxf
X-Git-Refname: refs/heads/3.3.x-fixes
X-Git-Reftype: branch
X-Git-Oldrev: 2f762e99c515580e19703ec2f9e8855559c9f94c
X-Git-Newrev: e84d7b2bb716dc1efe719497d8cef17aae092861
X-Git-Rev: e84d7b2bb716dc1efe719497d8cef17aae092861
X-Git-NotificationType: ref_changed_plus_diff
X-Git-Multimail-Version: 1.5.dev
Auto-Submitted: auto-generated

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch 3.3.x-fixes
in repository https://gitbox.apache.org/repos/asf/cxf.git


The following commit(s) were added to refs/heads/3.3.x-fixes by this push:
     new e84d7b2  CXF-8101 - Strip file path from Content-Disposition filename
e84d7b2 is described below

commit e84d7b2bb716dc1efe719497d8cef17aae092861
Author: Colm O hEigeartaigh <coheigea@apache.org>
AuthorDate: Wed Sep 4 18:10:43 2019 +0100

    CXF-8101 - Strip file path from Content-Disposition filename
    
    (cherry picked from commit 72574910b2cd61ca5208c46784136553d310ba1b)
---
 .../org/apache/cxf/attachment/AttachmentUtil.java  |  5 ++--
 .../java/org/apache/cxf/helpers/FileUtils.java     | 18 ++++++++++++
 .../cxf/attachment/AttachmentDeserializerTest.java | 33 ++++++++++++++++++++++
 3 files changed, 54 insertions(+), 2 deletions(-)

diff --git a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
index 4dd44bc..fba8cba 100644
--- a/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
+++ b/core/src/main/java/org/apache/cxf/attachment/AttachmentUtil.java
@@ -54,6 +54,7 @@ import javax.activation.MailcapCommandMap;
 import javax.activation.URLDataSource;
 
 import org.apache.cxf.common.util.StringUtils;
+import org.apache.cxf.helpers.FileUtils;
 import org.apache.cxf.helpers.HttpHeaderHelper;
 import org.apache.cxf.interceptor.Fault;
 import org.apache.cxf.io.CachedOutputStream;
@@ -393,13 +394,13 @@ public final class AttachmentUtil {
         if (encoding == null) {
             encoding = "binary";
         }
-        InputStream ins =  decode(stream, encoding);
+        InputStream ins = decode(stream, encoding);
         if (ins != stream) {
             headers.remove("Content-Transfer-Encoding");
         }
         DataSource source = new AttachmentDataSource(ct, ins);
         if (!StringUtils.isEmpty(fileName)) {
-            ((AttachmentDataSource)source).setName(fileName);
+            ((AttachmentDataSource)source).setName(FileUtils.stripPath(fileName));
         }
         att.setDataHandler(new DataHandler(source));
         return att;
diff --git a/core/src/main/java/org/apache/cxf/helpers/FileUtils.java b/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
index b166c58..b847d5a 100644
--- a/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
+++ b/core/src/main/java/org/apache/cxf/helpers/FileUtils.java
@@ -392,4 +392,22 @@ public final class FileUtils {
             return file.exists();
         });
     }
+
+    /**
+     * Strips any leading paths
+     */
+    public static String stripPath(String name) {
+        if (name == null) {
+            return null;
+        }
+        int posUnix = name.lastIndexOf('/');
+        int posWin = name.lastIndexOf('\\');
+        int pos = Math.max(posUnix, posWin);
+
+        if (pos != -1) {
+            return name.substring(pos + 1);
+        }
+        return name;
+    }
+
 }
diff --git a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
index 8f32fa3..717083e 100644
--- a/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
+++ b/core/src/test/java/org/apache/cxf/attachment/AttachmentDeserializerTest.java
@@ -750,4 +750,37 @@ public class AttachmentDeserializerTest {
         assertEquals(40, msg.getAttachments().size());
     }
 
+    @Test
+    public void testInvalidContentDispositionFilename() throws Exception {
+        StringBuilder sb = new StringBuilder(1000);
+        sb.append("SomeHeader: foo\n")
+            .append("------=_Part_34950_1098328613.1263781527359\n")
+            .append("Content-Type: text/xml; charset=UTF-8\n")
+            .append("Content-Transfer-Encoding: binary\n")
+            .append("Content-Id: <318731183421.1263781527359.IBM.WEBSERVICES@auhpap02>\n")
+            .append('\n')
+            .append("<envelope/>\n");
+
+        sb.append("------=_Part_34950_1098328613.1263781527359\n")
+            .append("Content-Type: text/xml\n")
+            .append("Content-Transfer-Encoding: binary\n")
+            .append("Content-Id: <b86a5f2d-e7af-4e5e-b71a-9f6f2307cab0>\n")
+            .append("Content-Disposition: attachment; filename=../../../../../../../../etc/passwd\n")
+            .append('\n')
+            .append("<message>\n")
+            .append("------=_Part_34950_1098328613.1263781527359--\n");
+
+        msg = new MessageImpl();
+        msg.setContent(InputStream.class, new ByteArrayInputStream(sb.toString().getBytes(StandardCharsets.UTF_8)));
+        msg.put(Message.CONTENT_TYPE, "multipart/related");
+        AttachmentDeserializer ad = new AttachmentDeserializer(msg);
+        ad.initializeAttachments();
+
+        // Force it to load the attachments
+        assertEquals(1, msg.getAttachments().size());
+        Attachment attachment = msg.getAttachments().iterator().next();
+        AttachmentDataSource dataSource = (AttachmentDataSource)attachment.getDataHandler().getDataSource();
+        assertEquals("passwd", dataSource.getName());
+    }
+
 }