[jboss-svn-commits] JBoss Common SVN: r4862 - common-old/branches/Branch_1_2/src/main/org/jboss/util/file.
jboss-svn-commits at lists.jboss.org
jboss-svn-commits at lists.jboss.org
Wed Oct 13 03:04:07 EDT 2010
Author: dimitris at jboss.org
Date: 2010-10-13 03:04:06 -0400 (Wed, 13 Oct 2010)
New Revision: 4862
Modified:
common-old/branches/Branch_1_2/src/main/org/jboss/util/file/JarUtils.java
Log:
JBCOMMON-108, CVE-2009-2693
When deploying WAR files, the WAR files were not checked for directory traversal attempts. This allows an attacker to create arbitrary content outside of the web root by including entries such as ../../bin/catalina.sh in the WAR.
Modified: common-old/branches/Branch_1_2/src/main/org/jboss/util/file/JarUtils.java
===================================================================
--- common-old/branches/Branch_1_2/src/main/org/jboss/util/file/JarUtils.java 2010-10-08 09:07:18 UTC (rev 4861)
+++ common-old/branches/Branch_1_2/src/main/org/jboss/util/file/JarUtils.java 2010-10-13 07:04:06 UTC (rev 4862)
@@ -262,6 +262,12 @@
JarInputStream jin = new JarInputStream(in);
byte[] buffer = new byte[1024];
+ String canonicalDocBasePrefix = dest.getCanonicalPath();
+ if (!canonicalDocBasePrefix.endsWith(File.separator))
+ {
+ canonicalDocBasePrefix += File.separator;
+ }
+
ZipEntry entry = jin.getNextEntry();
while (entry != null)
{
@@ -278,7 +284,12 @@
{
fileName = fileName.replace('/', File.separatorChar);
}
- File file = new File(dest, fileName);
+ File file = new File(dest, fileName);
+ if (!file.getCanonicalPath().startsWith(canonicalDocBasePrefix))
+ {
+ throw new IOException("Illegal path: " + fileName);
+ }
+
if (entry.isDirectory())
{
// make sure the directory exists
More information about the jboss-svn-commits
mailing list