You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by va...@apache.org on 2022/09/23 09:06:39 UTC
[qpid-broker-j] branch main updated: QPID-8600: [Broker-J] File path validation in management-http plugin (#140)
This is an automated email from the ASF dual-hosted git repository.
vavrtom pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/main by this push:
new 1f93cf1382 QPID-8600: [Broker-J] File path validation in management-http plugin (#140)
1f93cf1382 is described below
commit 1f93cf1382839f7304d81c3848b4da6ef6c75020
Author: Daniil Kirilyuk <da...@gmail.com>
AuthorDate: Fri Sep 23 11:06:34 2022 +0200
QPID-8600: [Broker-J] File path validation in management-http plugin (#140)
* QPID-8600: [Broker-J] File path validation in management-http plugin
* QPID-8600: [Broker-J] Restored new line to end of file
Co-authored-by: vavrtom <va...@gmail.com>
---
.../management/plugin/GunzipOutputStream.java | 9 ++--
.../management/plugin/servlet/FileServlet.java | 50 ++++++++--------------
2 files changed, 22 insertions(+), 37 deletions(-)
diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java
index cf98a2b501..25364fae83 100644
--- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java
+++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java
@@ -47,9 +47,9 @@ public class GunzipOutputStream extends InflaterOutputStream
}
@Override
- public void write(final byte data[], final int offset, final int length) throws IOException
+ public void write (final byte[] data, final int offset, final int length) throws IOException
{
- try(ByteArrayInputStream bais = new ByteArrayInputStream(data, offset, length))
+ try (ByteArrayInputStream bais = new ByteArrayInputStream(data, offset, length))
{
int b;
while ((b = bais.read()) != -1)
@@ -92,7 +92,6 @@ public class GunzipOutputStream extends InflaterOutputStream
{
_trailer.verify(_crc);
_streamState = StreamState.DONE;
- continue;
}
}
}
@@ -109,7 +108,7 @@ public class GunzipOutputStream extends InflaterOutputStream
ID1, ID2, CM, FLG, MTIME_0, MTIME_1, MTIME_2, MTIME_3, XFL, OS, XLEN_0, XLEN_1, FEXTRA, FNAME, FCOMMENT, CRC16_0, CRC16_1, DONE
}
- private class GZIPHeader
+ private static class GZIPHeader
{
private static final int GZIP_MAGIC_1 = 0x1F;
private static final int GZIP_MAGIC_2 = 0x8B;
@@ -256,7 +255,7 @@ public class GunzipOutputStream extends InflaterOutputStream
{
private static final int TRAILER_SIZE = 8;
private static final long SIZE_MASK = 0xffffffffL;
- private byte[] _trailerBytes = new byte[TRAILER_SIZE];
+ private final byte[] _trailerBytes = new byte[TRAILER_SIZE];
private int _receivedByteIndex;
private boolean trailerByte(int b) throws IOException
diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java
index 0dbcaac458..155dc5e98d 100644
--- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java
+++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java
@@ -41,11 +41,10 @@ public class FileServlet extends HttpServlet
private static final String RESOURCES_PREFIX = "/resources";
private static final Map<String, String> CONTENT_TYPES;
-
+
static
{
-
- Map<String, String> contentTypes = new HashMap<String, String>();
+ final Map<String, String> contentTypes = new HashMap<>();
contentTypes.put("js", "application/javascript");
contentTypes.put("html", "text/html");
contentTypes.put("css", "text/css");
@@ -65,17 +64,18 @@ public class FileServlet extends HttpServlet
this(RESOURCES_PREFIX, false);
}
- public FileServlet(String resourcePathPrefix, boolean usePathInfo)
+ public FileServlet(final String resourcePathPrefix, final boolean usePathInfo)
{
_resourcePathPrefix = resourcePathPrefix;
_usePathInfo = usePathInfo;
}
@Override
- protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException
+ protected void doGet(final HttpServletRequest request,
+ final HttpServletResponse response) throws ServletException, IOException
{
- String filename = null;
- if(_usePathInfo)
+ String filename;
+ if (_usePathInfo)
{
filename = request.getPathInfo();
}
@@ -84,48 +84,34 @@ public class FileServlet extends HttpServlet
filename = request.getServletPath();
}
- if(filename.contains("."))
+ if (filename.contains("."))
{
- String suffix = filename.substring(filename.lastIndexOf('.')+1);
- String contentType = CONTENT_TYPES.get(suffix);
- if(contentType != null)
+ final String suffix = filename.substring(filename.lastIndexOf('.')+1);
+ final String contentType = CONTENT_TYPES.get(suffix);
+ if (contentType != null)
{
response.setContentType(contentType);
}
}
- URL resourceURL = getClass().getResource(_resourcePathPrefix + filename);
- if(resourceURL != null)
+ final URL resourceURL = getClass().getResource(_resourcePathPrefix + filename);
+ if (resourceURL != null && !filename.contains(".."))
{
response.setStatus(HttpServletResponse.SC_OK);
- InputStream fileInput = resourceURL.openStream();
- try
+ try (final InputStream fileInput = resourceURL.openStream();
+ final OutputStream output = HttpManagementUtil.getOutputStream(request, response))
{
byte[] buffer = new byte[1024];
- int read = 0;
- OutputStream output = HttpManagementUtil.getOutputStream(request, response);
- try
- {
- while((read = fileInput.read(buffer)) != -1)
- {
- output.write(buffer, 0, read);
- }
- }
- finally
+ int read;
+ while ((read = fileInput.read(buffer)) != -1)
{
- output.close();
+ output.write(buffer, 0, read);
}
}
- finally
- {
- fileInput.close();
- }
}
else
{
response.sendError(HttpServletResponse.SC_NOT_FOUND, "unknown file");
}
-
}
-
}
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org