From aebd5bf941c25352e7237a5b16d82d613231e37c Mon Sep 17 00:00:00 2001 From: Alan Davis Date: Sat, 31 Jan 2015 10:59:25 +0000 Subject: [PATCH] Merged HEAD-BUG-FIX (5.1/Cloud) to HEAD (5.1/Cloud) 90762: Merged V4.2-BUG-FIX (4.2.5) to HEAD-BUG-FIX (5.0/Cloud) 90378: Merged DEV to V4.2-BUG-FIX (4.2.4) 90372 : MNT-12708 : "Access to files outside of content store root is not allowed:" error when using symlinks inside the contentstore - Use normalized absolute path to control is content within content-store 90538: MNT-12708 : "Access to files outside of content store root is not allowed:" error when using symlinks inside the contentstore - Fix for the test failure git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@94705 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261 --- .../content/filestore/FileContentStore.java | 26 +++++-------------- 1 file changed, 6 insertions(+), 20 deletions(-) diff --git a/source/java/org/alfresco/repo/content/filestore/FileContentStore.java b/source/java/org/alfresco/repo/content/filestore/FileContentStore.java index 2930376666..0f82245879 100644 --- a/source/java/org/alfresco/repo/content/filestore/FileContentStore.java +++ b/source/java/org/alfresco/repo/content/filestore/FileContentStore.java @@ -40,6 +40,7 @@ import org.alfresco.service.cmr.repository.ContentWriter; import org.alfresco.util.Deleter; import org.alfresco.util.GUID; import org.alfresco.util.Pair; +import org.apache.commons.io.FilenameUtils; import org.apache.commons.logging.Log; import org.apache.commons.logging.LogFactory; import org.springframework.beans.BeansException; @@ -72,7 +73,6 @@ public class FileContentStore private File rootDirectory; private String rootAbsolutePath; - private String rootCanonicalPath; private boolean allowRandomAccess; private boolean readOnly; private ApplicationContext applicationContext; @@ -109,15 +109,6 @@ public class FileContentStore rootAbsolutePath = rootDirectory.getAbsolutePath(); allowRandomAccess = true; readOnly = false; - - try - { - rootCanonicalPath = rootDirectory.getCanonicalPath(); - } - catch (IOException e) - { - throw new ContentIOException("Failed to get store root canonical path: " + rootDirectory, e); - } } /** @@ -696,17 +687,12 @@ public class FileContentStore */ private void ensureFileInContentStore(File file) { - try + String fileNormalizedAbsoultePath = FilenameUtils.normalize(file.getAbsolutePath()); + String rootNormalizedAbsolutePath = FilenameUtils.normalize(rootAbsolutePath); + + if (!fileNormalizedAbsoultePath.startsWith(rootNormalizedAbsolutePath)) { - String fileCanonicalPath = file.getCanonicalPath(); - if (!fileCanonicalPath.startsWith(rootCanonicalPath)) - { - throw new ContentIOException("Access to files outside of content store root is not allowed: " + file); - } - } - catch (IOException e) - { - throw new ContentIOException("Failed to get file canonical path: " + file, e); + throw new ContentIOException("Access to files outside of content store root is not allowed: " + file); } } }