Merge pull request #102 from coheigea/ARIES-1934
ARIES-1934 - Make sure jar/zip files are jailed to the destination di…
diff --git a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
index 5bb448c..a4e2c14 100644
--- a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
+++ b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
@@ -243,14 +243,17 @@
JarInputStream jis = new JarInputStream(new FileInputStream(jarFile));
JarEntry je = null;
while((je = jis.getNextJarEntry()) != null) {
+ File outFile = new File(tempDir, je.getName());
+ if (!outFile.getCanonicalPath().startsWith(tempDir.getCanonicalPath())) {
+ throw new IOException("The output file is not contained in the destination directory");
+ }
+
if (je.isDirectory()) {
- File outDir = new File(tempDir, je.getName());
- ensureDirectory(outDir);
+ ensureDirectory(outFile);
continue;
}
- File outFile = new File(tempDir, je.getName());
File outDir = outFile.getParentFile();
ensureDirectory(outDir);
diff --git a/util/src/main/java/org/apache/aries/util/io/IOUtils.java b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
index a926ea3..39054b2 100644
--- a/util/src/main/java/org/apache/aries/util/io/IOUtils.java
+++ b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
@@ -274,7 +274,12 @@
isZip = false; // It's not a zip - that's ok, we'll return that below.
}
if(isZip){
- do {
+ do {
+ File outFile = new File(outputDir, zipEntry.getName());
+ if (!outFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+ throw new IOException("The output file is not contained in the destination directory");
+ }
+
if (!zipEntry.isDirectory()) {
writeOutAndDontCloseInputStream(outputDir, zipEntry.getName(), zis);
}
