Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)

83478: Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud) 83322: Merged DEV to V4.2-BUG-FIX (4.2.4) 83320 : MNT-12301 - Util method was added for FileContentStore - Unit test added. 83473: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) (RECORD ONLY) 83474: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) (RECORD ONLY) git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@83484 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
2025-07-31 17:39:05 +00:00 · 2014-09-05 17:17:58 +00:00
parent 8c9981d791
commit 8ba7795cd5
2 changed files with 81 additions and 0 deletions
--- a/source/java/org/alfresco/repo/content/filestore/FileContentStore.java
+++ b/source/java/org/alfresco/repo/content/filestore/FileContentStore.java
@@ -72,6 +72,7 @@ public class FileContentStore
    
    private File rootDirectory;
    private String rootAbsolutePath;
+    private String rootCanonicalPath;
    private boolean allowRandomAccess;
    private boolean readOnly;
    private ApplicationContext applicationContext;
@@ -108,6 +109,15 @@ public class FileContentStore
        rootAbsolutePath = rootDirectory.getAbsolutePath();
        allowRandomAccess = true;
        readOnly = false;
+        
+        try
+        {
+            rootCanonicalPath = rootDirectory.getCanonicalPath();
+        }
+        catch (IOException e)
+        {
+            throw new ContentIOException("Failed to get store root canonical path: " + rootDirectory, e);
+        }
    }
    
    /**
@@ -349,6 +359,9 @@ public class FileContentStore
        }
        // get the file
        File file = new File(rootDirectory, relativePath);
+        
+        ensureFileInContentStore(file);
+        
        // done
        return file;
    }
@@ -677,4 +690,23 @@ public class FileContentStore
    {
        this.deleteEmptyDirs = deleteEmptyDirs;
    }
+    
+    /*
+     * Added as fix for MNT-12301, we should ensure that content store accesses content only inside of store root
+     */
+    private void ensureFileInContentStore(File file)
+    {
+        try
+        {
+            String fileCanonicalPath = file.getCanonicalPath();
+            if (!fileCanonicalPath.startsWith(rootCanonicalPath))
+            {
+                throw new ContentIOException("Access to files outside of content store root is not allowed: " + file);
+            }
+        }
+        catch (IOException e)
+        {
+            throw new ContentIOException("Failed to get file canonical path: " + file, e);
+        }
+    }
 }