You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@karaf.apache.org by jb...@apache.org on 2019/01/18 13:55:36 UTC
[karaf] branch master updated: KARAF-6090 - Also check the URL
encoded form of ".."
This is an automated email from the ASF dual-hosted git repository.
jbonofre pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/karaf.git
The following commit(s) were added to refs/heads/master by this push:
new ac6874f KARAF-6090 - Also check the URL encoded form of ".."
new b833eab Merge pull request #730 from coheigea/KARAF-6090
ac6874f is described below
commit ac6874fc66e9111d5c9c06e04c37f75c509aeb8a
Author: Colm O hEigeartaigh <co...@apache.org>
AuthorDate: Fri Jan 18 10:07:25 2019 +0000
KARAF-6090 - Also check the URL encoded form of ".."
---
.../java/org/apache/karaf/kar/internal/Kar.java | 2 +-
.../org/apache/karaf/kar/internal/KarTest.java | 32 ++++++++++++++++++++++
2 files changed, 33 insertions(+), 1 deletion(-)
diff --git a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
index 68209f0..5ff890f 100644
--- a/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
+++ b/kar/src/main/java/org/apache/karaf/kar/internal/Kar.java
@@ -114,7 +114,7 @@ public class Kar {
ZipEntry entry = zipIs.getNextEntry();
while (entry != null) {
- if (entry.getName().contains("..")) {
+ if (entry.getName().contains("..") || entry.getName().contains("%2e%2e")) {
LOGGER.warn("kar entry {} contains a .. relative path. For security reasons, it's not allowed.", entry.getName());
} else {
if (entry.getName().startsWith("repository/")) {
diff --git a/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
index 81c3838..b7b70c6 100644
--- a/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
+++ b/kar/src/test/java/org/apache/karaf/kar/internal/KarTest.java
@@ -74,6 +74,38 @@ public class KarTest {
Assert.assertEquals(0, repoDirFiles.length);
File[] resourceDirFiles = resourceDir.listFiles();
Assert.assertEquals(0, resourceDirFiles.length);
+
+ badKarFile.delete();
+ }
+
+ @Test
+ public void badEncodedKarExtractTest() throws Exception {
+ File base = new File("target/test");
+ base.mkdirs();
+ File badKarFile = new File(base,"badencoded.kar");
+ ZipOutputStream zos = new ZipOutputStream(new FileOutputStream(badKarFile));
+ // Use the encoded form of ".." here
+ ZipEntry entry = new ZipEntry("%2e%2e/%2e%2e/%2e%2e/%2e%2e/foo.bar");
+ zos.putNextEntry(entry);
+
+ byte[] data = "Test Data".getBytes();
+ zos.write(data, 0, data.length);
+ zos.closeEntry();
+ zos.close();
+
+ Kar kar = new Kar(new URI("file:target/test/badencoded.kar"));
+ File repoDir = new File("target/test/repo");
+ repoDir.mkdirs();
+ File resourceDir = new File("target/test/resources");
+ resourceDir.mkdirs();
+ kar.extract(repoDir, resourceDir);
+
+ File[] repoDirFiles = repoDir.listFiles();
+ Assert.assertEquals(0, repoDirFiles.length);
+ File[] resourceDirFiles = resourceDir.listFiles();
+ Assert.assertEquals(0, resourceDirFiles.length);
+
+ badKarFile.delete();
}
}