FELIX-6189 - Make sure jar/zip files are jailed to the destination di…

…rectory
apache · Mar 3, 2020 · a21b7bb · a21b7bb
1 parent 990e9d4
commit a21b7bb
Show file tree

Hide file tree

Showing 5 changed files with 15 additions and 3 deletions.
diff --git a/bundlerepository/pom.xml b/bundlerepository/pom.xml
@@ -38,7 +38,7 @@
     <dependency>
       <groupId>${project.groupId}</groupId>
       <artifactId>org.apache.felix.utils</artifactId>
-      <version>1.11.0-SNAPSHOT</version>
+      <version>1.11.4</version>
       <optional>true</optional>
     </dependency>
     <dependency>

diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java
@@ -112,6 +112,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())
@@ -219,4 +222,4 @@ public static InputStream openURL(final URLConnection conn) throws IOException
             throw newException;
         }
     }
-}
+}
diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java
@@ -765,6 +765,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())

diff --git a/...n/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java b/...n/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java
@@ -92,6 +92,9 @@ protected static void restore(File archiveFile, File targetDir) throws IOExcepti
             ZipEntry entry;
             while ((entry = input.getNextEntry()) != null) {
                 File targetEntry = new File(targetDir, entry.getName());
+                if (!targetEntry.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+                    throw new IOException("The output file is not contained in the destination directory");
+                }
 
                 if (entry.isDirectory()) {
                     if (!targetEntry.mkdirs()) {
@@ -223,4 +226,4 @@ protected void onFailure(Exception e) {
             m_session.getLog().log(LogService.LOG_WARNING, "Failed to restore snapshot!", e);
         }
     }
-}
+}
diff --git a/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java b/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java
@@ -166,6 +166,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())