You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2016/06/07 16:46:38 UTC

commons-compress git commit: COMPRESS-351 CPIO InputStream sanitizes file names now

Repository: commons-compress
Updated Branches:
  refs/heads/master 048b701a9 -> b5071c2f8


COMPRESS-351 CPIO InputStream sanitizes file names now


Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/b5071c2f
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/b5071c2f
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/b5071c2f

Branch: refs/heads/master
Commit: b5071c2f8bcaa96cc9efb0214b2896cc26996ca9
Parents: 048b701
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Jun 7 18:46:10 2016 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Jun 7 18:46:10 2016 +0200

----------------------------------------------------------------------
 src/changes/changes.xml                                 |  7 +++++++
 .../compress/archivers/cpio/CpioArchiveInputStream.java | 12 +++++++++---
 2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------


http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 4a46e25..57d76b5 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -74,6 +74,13 @@ The <action> type attribute can be add,update,fix,remove.
         BZip2CompressorOutputStream#finish is now synchronized to
         avoid a race condition with the finalize method.
       </action>
+      <action issue="COMPRESS-351" type="update" date="2016-06-07">
+        ZipArchiveInputStream and CpioArchiveInputStream could throw
+        exceptions who's messages contained potentially corrupt entry
+        names read from a broken archive. They will now sanitize the
+        names by replacing unprintable characters and restricting the
+        length to 255 characters.
+      </action>
     </release>
     <release version="1.11" date="2016-04-06"
              description="Release 1.11">

http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
index 8c69bce..6e4d09e 100644
--- a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
+++ b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
@@ -384,7 +384,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
         final String name = readCString((int) namesize);
         ret.setName(name);
         if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
-            throw new IOException("Mode 0 only allowed in the trailer. Found entry name: "+name + " Occured at byte: " + getBytesRead());
+            throw new IOException("Mode 0 only allowed in the trailer. Found entry name: "
+                                  + ArchiveUtils.sanitize(name)
+                                  + " Occured at byte: " + getBytesRead());
         }
         skip(ret.getHeaderPadCount());
 
@@ -410,7 +412,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
         final String name = readCString((int) namesize);
         ret.setName(name);
         if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
-            throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+ name + " Occured at byte: " + getBytesRead());
+            throw new IOException("Mode 0 only allowed in the trailer. Found entry: "
+                                  + ArchiveUtils.sanitize(name)
+                                  + " Occured at byte: " + getBytesRead());
         }
 
         return ret;
@@ -436,7 +440,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
         final String name = readCString((int) namesize);
         ret.setName(name);
         if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
-            throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+name + "Occured at byte: " + getBytesRead());
+            throw new IOException("Mode 0 only allowed in the trailer. Found entry: "
+                                  + ArchiveUtils.sanitize(name)
+                                  + "Occured at byte: " + getBytesRead());
         }
         skip(ret.getHeaderPadCount());