Adding additional verifications for upload

(cherry picked from commit c5bcbaabed)
2019-02-24 14:56:11 +01:00 · 2019-02-24 14:56:11 +01:00 · 747cc55b24
parent 0102f34cfe
commit 747cc55b24
1 changed files with 12 additions and 11 deletions
--- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@ -184,21 +184,22 @@ public class DefaultFileUploadService
    public Boolean deleteFile( String fileName )
        throws ArchivaRestServiceException
    {
-        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( fileName );
+        // we make sure, that there are no other path components in the filename:
        String checkedFileName = Paths.get(fileName).getFileName().toString();
        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( checkedFileName );
        log.debug( "delete file:{},exists:{}", file, Files.exists(file) );
        boolean removed = getSessionFileMetadatas().remove( new FileMetadata( fileName ) );
        // try with full name as ui only know the file name
-        if ( !removed )
+        if ( !removed ) {
-        {
+            removed = getSessionFileMetadatas().remove(new FileMetadata(file.toString()));
            /* unused */ getSessionFileMetadatas().remove( new FileMetadata( file.toString() ) );
        }
-        try
+        if (removed) {
-        {
+            try {
-            Files.deleteIfExists( file );
+                Files.deleteIfExists(file);
-        }
+                return Boolean.TRUE;
-        catch ( IOException e )
+            } catch (IOException e) {
-        {
+                log.error("Could not delete file {}: {}", file, e.getMessage(), e);
-            log.error("Could not delete file {}: {}", file, e.getMessage(), e);
+            }
        }
        return Boolean.FALSE;
    }