464556 - Restrict start module downloads to ${jetty.base} paths only

+ Restrict [files] section references (download/uri/maven) to
  output only in ${jetty.base} tree

jetty-start/src/main/java/org/eclipse/jetty/start/BaseBuilder.java

@@ -251,6 +251,11 @@ public class BaseBuilder
     {
         if (startArgs.isDownload() && (arg.uri != null))
         {
+            if (!file.startsWith(baseHome.getBasePath()))
+            {
+                throw new IOException("For security reasons, Jetty start is unable to process file resource not in ${jetty.base} - " + file);
+            }
+            
             URI uri = URI.create(arg.uri);
 
             // Process via initializers

jetty-start/src/main/java/org/eclipse/jetty/start/BaseHome.java

@@ -200,7 +200,7 @@ public class BaseHome
      */
     public Path getBasePath(String path)
     {
-        return baseDir.resolve(path);
+        return baseDir.resolve(path).normalize().toAbsolutePath();
     }
 
     public ConfigSources getConfigSources()

jetty-start/src/main/java/org/eclipse/jetty/start/fileinits/MavenLocalRepoFileInitializer.java

@@ -108,6 +108,11 @@ public class MavenLocalRepoFileInitializer extends UriFileInitializer implements
             return true;
         }
 
+        if (!file.startsWith(baseHome.getBasePath()))
+        {
+            throw new IOException("For security reasons, Jetty start is unable to process maven file resource not in ${jetty.base} - " + file);
+        }
+        
         // If using local repository
         if (this.localRepositoryDir != null)
         {