mirror of
https://github.com/Alfresco/alfresco-community-repo.git
synced 2025-10-08 14:51:49 +00:00
Merged 5.1.N (5.1.1) to HEAD (5.1)
116289 amukha: ACE-4513: Merged 5.0.N (5.0.3) to 5.1.N (5.1.1)
116284 amukha: MNT-15091: Merged V4.2-BUG-FIX (4.2.6) to 5.0.N (5.0.3)
116280 amukha: MNT-15090: Merged DEV to V4.2-BUG-FIX (4.2.6)
115799: MNT-15075 : [Pentest 121015] ZIP extraction code execution
Fix and test
git-svn-id: https://svn.alfresco.com/repos/alfresco-enterprise/alfresco/HEAD/root@116583 c4b6b30b-aa2e-2d43-bbcb-ca4b014f7261
This commit is contained in:
Alex Mukha
@@ -69,6 +69,7 @@ public class ImporterActionExecuter extends ActionExecuterAbstractBase
|
||||
public static final String NAME = "import";
|
||||
public static final String PARAM_ENCODING = "encoding";
|
||||
public static final String PARAM_DESTINATION_FOLDER = "destination";
|
||||
public static final String ARCHIVE_CONTAINS_SUSPICIOUS_PATHS_ERROR = "Archive contains suspicious paths. Please review it's contents and make sure it doesn't contain entries with absolute paths or paths containing references to the parent folder (i.e. \"..\")";
|
||||
|
||||
private static final int BUFFER_SIZE = 16384;
|
||||
private static final String TEMP_FILE_PREFIX = "alf";
|
||||
@@ -348,6 +349,12 @@ public class ImporterActionExecuter extends ActionExecuterAbstractBase
|
||||
{
|
||||
fileName = entry.getName();
|
||||
fileName = fileName.replace('/', File.separatorChar);
|
||||
|
||||
if (fileName.startsWith("/") || fileName.indexOf(":" + File.separator) == 1 || fileName.contains(".." + File.separator))
|
||||
{
|
||||
throw new AlfrescoRuntimeException(ARCHIVE_CONTAINS_SUSPICIOUS_PATHS_ERROR);
|
||||
}
|
||||
|
||||
destFileName = extractDir + fileName;
|
||||
File destFile = new File(destFileName);
|
||||
String parent = destFile.getParent();
|
||||
|
||||
Reference in New Issue
Block a user