You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by pe...@apache.org on 2016/08/10 07:01:07 UTC
wicket git commit: checking repository file name for null bytes
Repository: wicket
Updated Branches:
refs/heads/wicket-6.x 996e17c3c -> 5119db308
checking repository file name for null bytes
Project: http://git-wip-us.apache.org/repos/asf/wicket/repo
Commit: http://git-wip-us.apache.org/repos/asf/wicket/commit/5119db30
Tree: http://git-wip-us.apache.org/repos/asf/wicket/tree/5119db30
Diff: http://git-wip-us.apache.org/repos/asf/wicket/diff/5119db30
Branch: refs/heads/wicket-6.x
Commit: 5119db30872c917a6480a84c85483fe9d5322619
Parents: 996e17c
Author: Pedro Henrique Oliveira dos Santos <pe...@apache.org>
Authored: Wed Aug 10 03:56:21 2016 -0300
Committer: Pedro Henrique Oliveira dos Santos <pe...@apache.org>
Committed: Wed Aug 10 03:56:21 2016 -0300
----------------------------------------------------------------------
.../java/org/apache/wicket/util/io/Streams.java | 36 ++++++++++++++++++++
.../apache/wicket/util/upload/DiskFileItem.java | 4 +++
2 files changed, 40 insertions(+)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/wicket/blob/5119db30/wicket-util/src/main/java/org/apache/wicket/util/io/Streams.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/io/Streams.java b/wicket-util/src/main/java/org/apache/wicket/util/io/Streams.java
index 131f5fc..f2fc907 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/io/Streams.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/io/Streams.java
@@ -24,6 +24,7 @@ import java.io.OutputStream;
import java.io.Reader;
import java.net.URL;
import java.net.URLConnection;
+import java.security.InvalidParameterException;
import java.util.Properties;
import org.apache.wicket.util.lang.Args;
@@ -205,6 +206,41 @@ public final class Streams
}
/**
+ * Checks, whether the given file name is valid in the sense, that it
+ * doesn't contain any NUL characters. If the file name is valid, it will be
+ * returned without any modifications. Otherwise, an
+ * {@link InvalidFileNameException} is raised.
+ *
+ * @param fileName
+ * The file name to check
+ * @return Unmodified file name, if valid.
+ * @throws InvalidFileNameException
+ * The file name was found to be invalid.
+ */
+ public static String checkFileName(String fileName)
+ {
+ if (fileName != null && fileName.indexOf('\u0000') != -1)
+ {
+ final StringBuilder sb = new StringBuilder();
+ for (int i = 0; i < fileName.length(); i++)
+ {
+ char c = fileName.charAt(i);
+ switch (c)
+ {
+ case 0 :
+ sb.append("\\0");
+ break;
+ default :
+ sb.append(c);
+ break;
+ }
+ }
+ throw new InvalidParameterException("Invalid file name: " + sb);
+ }
+ return fileName;
+ }
+
+ /**
* Private to prevent instantiation.
*/
private Streams()
http://git-wip-us.apache.org/repos/asf/wicket/blob/5119db30/wicket-util/src/main/java/org/apache/wicket/util/upload/DiskFileItem.java
----------------------------------------------------------------------
diff --git a/wicket-util/src/main/java/org/apache/wicket/util/upload/DiskFileItem.java b/wicket-util/src/main/java/org/apache/wicket/util/upload/DiskFileItem.java
index b7dfabe..e95c672 100644
--- a/wicket-util/src/main/java/org/apache/wicket/util/upload/DiskFileItem.java
+++ b/wicket-util/src/main/java/org/apache/wicket/util/upload/DiskFileItem.java
@@ -617,6 +617,10 @@ public class DiskFileItem implements FileItem, FileItemHeadersSupport
File tempDir = repository;
if (tempDir == null)
{
+ if (repository != null)
+ {
+ Streams.checkFileName(repository.getPath());
+ }
String systemTmp = null;
try
{