You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@camel.apache.org by co...@apache.org on 2019/11/11 18:03:05 UTC

[camel] 02/04: Make sure the temp file is jailed to the tmpdir

This is an automated email from the ASF dual-hosted git repository.

coheigea pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/camel.git

commit 80df11395d45e0a0e27b556bedf80cd18268f4e3
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Mon Nov 11 15:41:01 2019 +0000

    Make sure the temp file is jailed to the tmpdir
---
 .../main/java/org/apache/camel/component/jira/FileConverter.java    | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/components/camel-jira/src/main/java/org/apache/camel/component/jira/FileConverter.java b/components/camel-jira/src/main/java/org/apache/camel/component/jira/FileConverter.java
index 6e3bb1c..11048af 100644
--- a/components/camel-jira/src/main/java/org/apache/camel/component/jira/FileConverter.java
+++ b/components/camel-jira/src/main/java/org/apache/camel/component/jira/FileConverter.java
@@ -37,7 +37,11 @@ public final class FileConverter {
         File file;
         if (body instanceof byte[]) {
             byte[] bos = (byte[]) body;
-            file = new File(System.getProperty("java.io.tmpdir"), genericFile.getFileName());
+            String destDir = System.getProperty("java.io.tmpdir");
+            file = new File(destDir, genericFile.getFileName());
+            if (!file.getCanonicalPath().startsWith(destDir)) {
+                throw new IOException("File is not jailed to the destination directory");
+            }
             Files.write(file.toPath(), bos, StandardOpenOption.CREATE);
             // delete the temporary file on exit, as other routing may need the file for post processing
             file.deleteOnExit();