You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2022/01/10 08:17:56 UTC
[karaf] branch main updated: [KARAF-7326] Add ending slash (separator) in canonical path, avoiding partial path traversal
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/main by this push:
new 36a2bc4 [KARAF-7326] Add ending slash (separator) in canonical path, avoiding partial path traversal
new 0b18fe3 Merge pull request #1485 from jbonofre/KARAF-7326
36a2bc4 is described below
commit 36a2bc430cc773db1cfd0b32e307d9da2d1697f7
Author: Jean-Baptiste Onofré <jb...@apache.org>
AuthorDate: Sun Jan 9 19:04:17 2022 +0100
[KARAF-7326] Add ending slash (separator) in canonical path, avoiding partial path traversal
---
obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java | 6 +++++-
.../src/main/java/org/apache/karaf/tooling/RunMojo.java | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
index 7725d58..3dcbcc7 100644
--- a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
+++ b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
@@ -110,7 +110,11 @@ public class FileUtil
}
File target = new File(dir, je.getName());
- if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+ String canonicalizedDir = dir.getCanonicalPath();
+ if (!canonicalizedDir.endsWith(File.separator)) {
+ canonicalizedDir += File.separator;
+ }
+ if (!target.getCanonicalPath().startsWith(canonicalizedDir)) {
throw new IOException("JAR resource cannot contain paths with .. characters");
}
diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
index 60714b5..570e6ff 100644
--- a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
+++ b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
@@ -436,7 +436,11 @@ public class RunMojo extends MojoSupport {
String name = entry.getName();
name = name.substring(name.indexOf("/") + 1);
File file = new File(targetDir, name);
- if (!file.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+ String canonicalizedTargetDir = targetDir.getCanonicalPath();
+ if (!canonicalizedTargetDir.endsWith(File.separator)) {
+ canonicalizedTargetDir += File.separator;
+ }
+ if (!file.getCanonicalPath().startsWith(canonicalizedTargetDir)) {
throw new IOException("Archive cannot contain paths with .. characters");
}