From d54e6847fbacf570c759ff879bc2b51a7bcafd50 Mon Sep 17 00:00:00 2001 From: Colm O hEigeartaigh Date: Tue, 3 Mar 2020 09:48:23 +0000 Subject: [PATCH] FELIX-6189 - Make sure jar/zip files are jailed to the destination directory --- .../org/apache/felix/bundlerepository/impl/FileUtil.java | 5 ++++- .../apache/felix/bundlerepository/impl/ObrGogoCommand.java | 3 +++ .../apache/felix/deploymentadmin/spi/SnapshotCommand.java | 5 ++++- .../src/main/java/org/apache/felix/gogo/command/Util.java | 3 +++ 4 files changed, 14 insertions(+), 2 deletions(-) diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java index 9a27e3ff49..1421ee661f 100644 --- a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java +++ b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java @@ -112,6 +112,9 @@ public static void unjar(JarInputStream jis, File dir) } File target = new File(dir, je.getName()); + if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) { + throw new IOException("The output file is not contained in the destination directory"); + } // Check to see if the JAR entry is a directory. if (je.isDirectory()) @@ -219,4 +222,4 @@ public static InputStream openURL(final URLConnection conn) throws IOException throw newException; } } -} \ No newline at end of file +} diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java index 4d3f7a6ebe..7c5b1d7527 100644 --- a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java +++ b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java @@ -765,6 +765,9 @@ public static void unjar(JarInputStream jis, File dir) } File target = new File(dir, je.getName()); + if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) { + throw new IOException("The output file is not contained in the destination directory"); + } // Check to see if the JAR entry is a directory. if (je.isDirectory()) diff --git a/deploymentadmin/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java b/deploymentadmin/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java index 29c2c2c2b3..0e44d4eddf 100644 --- a/deploymentadmin/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java +++ b/deploymentadmin/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java @@ -92,6 +92,9 @@ protected static void restore(File archiveFile, File targetDir) throws IOExcepti ZipEntry entry; while ((entry = input.getNextEntry()) != null) { File targetEntry = new File(targetDir, entry.getName()); + if (!targetEntry.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) { + throw new IOException("The output file is not contained in the destination directory"); + } if (entry.isDirectory()) { if (!targetEntry.mkdirs()) { @@ -223,4 +226,4 @@ protected void onFailure(Exception e) { m_session.getLog().log(LogService.LOG_WARNING, "Failed to restore snapshot!", e); } } -} \ No newline at end of file +} diff --git a/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java b/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java index 21a84272a1..c4b4ddfe42 100644 --- a/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java +++ b/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java @@ -166,6 +166,9 @@ public static void unjar(JarInputStream jis, File dir) } File target = new File(dir, je.getName()); + if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) { + throw new IOException("The output file is not contained in the destination directory"); + } // Check to see if the JAR entry is a directory. if (je.isDirectory())