JETTY-1080

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@722 7e9141cc-0065-0410-87d8-b60c137991c4
2025-03-01 03:19:13 +00:00 · 2009-08-14 09:08:35 +00:00 · 2009-08-14 09:08:35 +00:00 · c8414e5ed1
commit c8414e5ed1
parent effe71fb90
3 changed files with 62 additions and 0 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarResource.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarResource.java
@ -194,6 +194,12 @@ public class JarResource extends URLResource
            File file=new File(directory,entryName);
            if(!file.getCanonicalPath().regionMatches(0,directory.getCanonicalPath()+"/",0,directory.getCanonicalPath().length()+1)) {
                if (Log.isDebugEnabled()) Log.debug("Invalid entry: " + entryName);
                continue;
            } 
            if (entry.isDirectory())
            {
                // Make directory
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/resource/ResourceTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/resource/ResourceTest.java
@ -16,6 +16,7 @@ package org.eclipse.jetty.util.resource;
 import java.io.File;
 import java.io.FilePermission;
 import java.io.FilenameFilter;
 import java.io.InputStream;
 import java.net.URL;
 import java.util.jar.JarInputStream;
@ -272,6 +273,61 @@ public class ResourceTest extends junit.framework.TestCase
        assertFalse(jarFileResource.isContainedIn(container));
    }
    /* ------------------------------------------------------------ */
    public void testJarFileCopyToDirectoryTraversal () throws Exception
    {
        String s = "jar:"+__userURL+"TestData/extract.zip!/";
        Resource r = Resource.newResource(s);
        assertTrue(r instanceof JarResource);
        JarResource jarResource = (JarResource)r;
        File destParent = File.createTempFile("copyjar", null);
        if (destParent.exists())
            destParent.delete();
        destParent.mkdir();
        destParent.deleteOnExit();
        File dest = new File(destParent.getCanonicalPath()+"/extract");
        if(dest.exists())
            dest.delete();
        dest.mkdir();
        dest.deleteOnExit();
        jarResource.copyTo(dest);
        // dest contains only the valid entry; dest.getParent() contains only the dest directory
        assertEquals(1, dest.listFiles().length);
        assertEquals(1, dest.getParentFile().listFiles().length);
        FilenameFilter dotdotFilenameFilter = new FilenameFilter() {
            public boolean accept(File directory, String name)
            {
                return name.equals("dotdot.txt");
            }
        };        
        assertEquals(0, dest.listFiles(dotdotFilenameFilter).length);
        assertEquals(0, dest.getParentFile().listFiles(dotdotFilenameFilter).length);
        FilenameFilter extractfileFilenameFilter = new FilenameFilter() {
            public boolean accept(File directory, String name)
            {
                return name.equals("extract-filenotdir");
            }
        };
        assertEquals(0, dest.listFiles(extractfileFilenameFilter).length);
        assertEquals(0, dest.getParentFile().listFiles(extractfileFilenameFilter).length);
        FilenameFilter currentDirectoryFilenameFilter = new FilenameFilter() {
            public boolean accept(File directory, String name)
            {
                return name.equals("current.txt");
            }
        };
        assertEquals(1, dest.listFiles(currentDirectoryFilenameFilter).length);
        assertEquals(0, dest.getParentFile().listFiles(currentDirectoryFilenameFilter).length);        
    }
    /**
     * Test a class path resource for existence.
     */
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/resource/TestData/extract.zip
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/resource/TestData/extract.zip