mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-07-31 17:39:05 +00:00
Merged HEAD-BUG-FIX (5.0/Cloud) to HEAD (5.0/Cloud)
83478: Merged V4.2-BUG-FIX (4.2.4) to HEAD-BUG-FIX (5.0/Cloud)
83322: Merged DEV to V4.2-BUG-FIX (4.2.4)
83320 : MNT-12301
- Util method was added for FileContentStore
- Unit test added.
83473: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) (RECORD ONLY)
83474: Merged V4.1-BUG-FIX (4.1.10) to V4.2-BUG-FIX (4.2.4) (RECORD ONLY)
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@83484 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alan Davis
@@ -72,6 +72,7 @@ public class FileContentStore
|
|||||||
|
|
||||||
private File rootDirectory;
|
private File rootDirectory;
|
||||||
private String rootAbsolutePath;
|
private String rootAbsolutePath;
|
||||||
|
private String rootCanonicalPath;
|
||||||
private boolean allowRandomAccess;
|
private boolean allowRandomAccess;
|
||||||
private boolean readOnly;
|
private boolean readOnly;
|
||||||
private ApplicationContext applicationContext;
|
private ApplicationContext applicationContext;
|
||||||
@@ -108,6 +109,15 @@ public class FileContentStore
|
|||||||
rootAbsolutePath = rootDirectory.getAbsolutePath();
|
rootAbsolutePath = rootDirectory.getAbsolutePath();
|
||||||
allowRandomAccess = true;
|
allowRandomAccess = true;
|
||||||
readOnly = false;
|
readOnly = false;
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
rootCanonicalPath = rootDirectory.getCanonicalPath();
|
||||||
|
}
|
||||||
|
catch (IOException e)
|
||||||
|
{
|
||||||
|
throw new ContentIOException("Failed to get store root canonical path: " + rootDirectory, e);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
/**
|
/**
|
||||||
@@ -349,6 +359,9 @@ public class FileContentStore
|
|||||||
}
|
}
|
||||||
// get the file
|
// get the file
|
||||||
File file = new File(rootDirectory, relativePath);
|
File file = new File(rootDirectory, relativePath);
|
||||||
|
|
||||||
|
ensureFileInContentStore(file);
|
||||||
|
|
||||||
// done
|
// done
|
||||||
return file;
|
return file;
|
||||||
}
|
}
|
||||||
@@ -677,4 +690,23 @@ public class FileContentStore
|
|||||||
{
|
{
|
||||||
this.deleteEmptyDirs = deleteEmptyDirs;
|
this.deleteEmptyDirs = deleteEmptyDirs;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Added as fix for MNT-12301, we should ensure that content store accesses content only inside of store root
|
||||||
|
*/
|
||||||
|
private void ensureFileInContentStore(File file)
|
||||||
|
{
|
||||||
|
try
|
||||||
|
{
|
||||||
|
String fileCanonicalPath = file.getCanonicalPath();
|
||||||
|
if (!fileCanonicalPath.startsWith(rootCanonicalPath))
|
||||||
|
{
|
||||||
|
throw new ContentIOException("Access to files outside of content store root is not allowed: " + file);
|
||||||
|
}
|
||||||
|
}
|
||||||
|
catch (IOException e)
|
||||||
|
{
|
||||||
|
throw new ContentIOException("Failed to get file canonical path: " + file, e);
|
||||||
|
}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -28,6 +28,7 @@ import org.alfresco.repo.content.ContentLimitProvider;
|
|||||||
import org.alfresco.repo.content.ContentLimitProvider.SimpleFixedLimitProvider;
|
import org.alfresco.repo.content.ContentLimitProvider.SimpleFixedLimitProvider;
|
||||||
import org.alfresco.repo.content.ContentLimitViolationException;
|
import org.alfresco.repo.content.ContentLimitViolationException;
|
||||||
import org.alfresco.repo.content.ContentStore;
|
import org.alfresco.repo.content.ContentStore;
|
||||||
|
import org.alfresco.service.cmr.repository.ContentIOException;
|
||||||
import org.alfresco.service.cmr.repository.ContentWriter;
|
import org.alfresco.service.cmr.repository.ContentWriter;
|
||||||
import org.alfresco.test_category.OwnJVMTestsCategory;
|
import org.alfresco.test_category.OwnJVMTestsCategory;
|
||||||
import org.alfresco.util.TempFileProvider;
|
import org.alfresco.util.TempFileProvider;
|
||||||
@@ -241,6 +242,54 @@ public class FileContentStoreTest extends AbstractWritableContentStoreTest
|
|||||||
assertTrue("Stream close not detected", writer.isClosed());
|
assertTrue("Stream close not detected", writer.isClosed());
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/*
|
||||||
|
* Test for MNT-12301 case.
|
||||||
|
*/
|
||||||
|
public void testFileAccessOutsideStoreRoot()
|
||||||
|
{
|
||||||
|
String url = FileContentStore.STORE_PROTOCOL + ContentStore.PROTOCOL_DELIMITER + "../somefile.bin";
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
store.getReader(url);
|
||||||
|
fail("Access to content outside of content store root should not be allowed.");
|
||||||
|
}
|
||||||
|
catch (ContentIOException e)
|
||||||
|
{
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
store.exists(url);
|
||||||
|
fail("Access to content outside of content store root should not be allowed.");
|
||||||
|
}
|
||||||
|
catch (ContentIOException e)
|
||||||
|
{
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
store.delete(url);
|
||||||
|
fail("Access to content outside of content store root should not be allowed.");
|
||||||
|
}
|
||||||
|
catch (ContentIOException e)
|
||||||
|
{
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
|
||||||
|
try
|
||||||
|
{
|
||||||
|
store.getWriterInternal(null, url);
|
||||||
|
fail("Access to content outside of content store root should not be allowed.");
|
||||||
|
}
|
||||||
|
catch (ContentIOException e)
|
||||||
|
{
|
||||||
|
//expected
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
|
||||||
private void assertDirExists(File root, String dir)
|
private void assertDirExists(File root, String dir)
|
||||||
{
|
{
|
||||||
|
|||||||
Reference in New Issue
Block a user