FELIX-6189 - Make sure jar/zip files are jailed to the destination di…

…rectory
apache · Apr 14, 2020 · d54e684 · d54e684
1 parent 84b88a5
commit d54e684
Show file tree

Hide file tree

Showing 4 changed files with 14 additions and 2 deletions.
diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/FileUtil.java
@@ -112,6 +112,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())
@@ -219,4 +222,4 @@ public static InputStream openURL(final URLConnection conn) throws IOException
             throw newException;
         }
     }
-}
+}
diff --git a/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java b/bundlerepository/src/main/java/org/apache/felix/bundlerepository/impl/ObrGogoCommand.java
@@ -765,6 +765,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())

diff --git a/...n/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java b/...n/deploymentadmin/src/main/java/org/apache/felix/deploymentadmin/spi/SnapshotCommand.java
@@ -92,6 +92,9 @@ protected static void restore(File archiveFile, File targetDir) throws IOExcepti
             ZipEntry entry;
             while ((entry = input.getNextEntry()) != null) {
                 File targetEntry = new File(targetDir, entry.getName());
+                if (!targetEntry.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+                    throw new IOException("The output file is not contained in the destination directory");
+                }
 
                 if (entry.isDirectory()) {
                     if (!targetEntry.mkdirs()) {
@@ -223,4 +226,4 @@ protected void onFailure(Exception e) {
             m_session.getLog().log(LogService.LOG_WARNING, "Failed to restore snapshot!", e);
         }
     }
-}
+}
diff --git a/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java b/gogo/command/src/main/java/org/apache/felix/gogo/command/Util.java
@@ -166,6 +166,9 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
+            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+                throw new IOException("The output file is not contained in the destination directory");
+            }
 
             // Check to see if the JAR entry is a directory.
             if (je.isDirectory())