You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@commons.apache.org by bo...@apache.org on 2016/06/07 16:46:38 UTC
commons-compress git commit: COMPRESS-351 CPIO InputStream sanitizes
file names now
Repository: commons-compress
Updated Branches:
refs/heads/master 048b701a9 -> b5071c2f8
COMPRESS-351 CPIO InputStream sanitizes file names now
Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo
Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/b5071c2f
Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/b5071c2f
Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/b5071c2f
Branch: refs/heads/master
Commit: b5071c2f8bcaa96cc9efb0214b2896cc26996ca9
Parents: 048b701
Author: Stefan Bodewig <bo...@apache.org>
Authored: Tue Jun 7 18:46:10 2016 +0200
Committer: Stefan Bodewig <bo...@apache.org>
Committed: Tue Jun 7 18:46:10 2016 +0200
----------------------------------------------------------------------
src/changes/changes.xml | 7 +++++++
.../compress/archivers/cpio/CpioArchiveInputStream.java | 12 +++++++++---
2 files changed, 16 insertions(+), 3 deletions(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/changes/changes.xml
----------------------------------------------------------------------
diff --git a/src/changes/changes.xml b/src/changes/changes.xml
index 4a46e25..57d76b5 100644
--- a/src/changes/changes.xml
+++ b/src/changes/changes.xml
@@ -74,6 +74,13 @@ The <action> type attribute can be add,update,fix,remove.
BZip2CompressorOutputStream#finish is now synchronized to
avoid a race condition with the finalize method.
</action>
+ <action issue="COMPRESS-351" type="update" date="2016-06-07">
+ ZipArchiveInputStream and CpioArchiveInputStream could throw
+ exceptions who's messages contained potentially corrupt entry
+ names read from a broken archive. They will now sanitize the
+ names by replacing unprintable characters and restricting the
+ length to 255 characters.
+ </action>
</release>
<release version="1.11" date="2016-04-06"
description="Release 1.11">
http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
----------------------------------------------------------------------
diff --git a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
index 8c69bce..6e4d09e 100644
--- a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
+++ b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java
@@ -384,7 +384,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
final String name = readCString((int) namesize);
ret.setName(name);
if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
- throw new IOException("Mode 0 only allowed in the trailer. Found entry name: "+name + " Occured at byte: " + getBytesRead());
+ throw new IOException("Mode 0 only allowed in the trailer. Found entry name: "
+ + ArchiveUtils.sanitize(name)
+ + " Occured at byte: " + getBytesRead());
}
skip(ret.getHeaderPadCount());
@@ -410,7 +412,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
final String name = readCString((int) namesize);
ret.setName(name);
if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
- throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+ name + " Occured at byte: " + getBytesRead());
+ throw new IOException("Mode 0 only allowed in the trailer. Found entry: "
+ + ArchiveUtils.sanitize(name)
+ + " Occured at byte: " + getBytesRead());
}
return ret;
@@ -436,7 +440,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements
final String name = readCString((int) namesize);
ret.setName(name);
if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){
- throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+name + "Occured at byte: " + getBytesRead());
+ throw new IOException("Mode 0 only allowed in the trailer. Found entry: "
+ + ArchiveUtils.sanitize(name)
+ + "Occured at byte: " + getBytesRead());
}
skip(ret.getHeaderPadCount());