JETTY-1080

git-svn-id: svn+ssh://dev.eclipse.org/svnroot/rt/org.eclipse.jetty/jetty/trunk@722 7e9141cc-0065-0410-87d8-b60c137991c4
2025-03-01 03:19:13 +00:00 · 2009-08-14 09:08:35 +00:00 · 2009-08-14 09:08:35 +00:00 · c8414e5ed1
commit c8414e5ed1
parent effe71fb90
3 changed files with 62 additions and 0 deletions
--- a/jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarResource.java
+++ b/jetty-util/src/main/java/org/eclipse/jetty/util/resource/JarResource.java
@ -194,6 +194,12 @@ public class JarResource extends URLResource
                
           
            File file=new File(directory,entryName);
+
+            if(!file.getCanonicalPath().regionMatches(0,directory.getCanonicalPath()+"/",0,directory.getCanonicalPath().length()+1)) {
+                if (Log.isDebugEnabled()) Log.debug("Invalid entry: " + entryName);
+                continue;
+            } 
+            
            if (entry.isDirectory())
            {
                // Make directory
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/resource/ResourceTest.java
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/resource/ResourceTest.java
@ -16,6 +16,7 @@ package org.eclipse.jetty.util.resource;

 import java.io.File;
 import java.io.FilePermission;
+import java.io.FilenameFilter;
 import java.io.InputStream;
 import java.net.URL;
 import java.util.jar.JarInputStream;
@ -272,6 +273,61 @@ public class ResourceTest extends junit.framework.TestCase
        assertFalse(jarFileResource.isContainedIn(container));
    }

+    /* ------------------------------------------------------------ */
+    public void testJarFileCopyToDirectoryTraversal () throws Exception
+    {
+        String s = "jar:"+__userURL+"TestData/extract.zip!/";
+        Resource r = Resource.newResource(s);
+
+        assertTrue(r instanceof JarResource);
+        JarResource jarResource = (JarResource)r;
+
+        File destParent = File.createTempFile("copyjar", null);
+        if (destParent.exists())
+            destParent.delete();
+        destParent.mkdir();
+        destParent.deleteOnExit();
+        
+        File dest = new File(destParent.getCanonicalPath()+"/extract");
+        if(dest.exists())
+            dest.delete();
+        dest.mkdir();
+        dest.deleteOnExit();
+
+        jarResource.copyTo(dest);
+
+        // dest contains only the valid entry; dest.getParent() contains only the dest directory
+        assertEquals(1, dest.listFiles().length);
+        assertEquals(1, dest.getParentFile().listFiles().length);
+
+        FilenameFilter dotdotFilenameFilter = new FilenameFilter() {
+            public boolean accept(File directory, String name)
+            {
+                return name.equals("dotdot.txt");
+            }
+        };        
+        assertEquals(0, dest.listFiles(dotdotFilenameFilter).length);
+        assertEquals(0, dest.getParentFile().listFiles(dotdotFilenameFilter).length);
+
+        FilenameFilter extractfileFilenameFilter = new FilenameFilter() {
+            public boolean accept(File directory, String name)
+            {
+                return name.equals("extract-filenotdir");
+            }
+        };
+        assertEquals(0, dest.listFiles(extractfileFilenameFilter).length);
+        assertEquals(0, dest.getParentFile().listFiles(extractfileFilenameFilter).length);
+
+        FilenameFilter currentDirectoryFilenameFilter = new FilenameFilter() {
+            public boolean accept(File directory, String name)
+            {
+                return name.equals("current.txt");
+            }
+        };
+        assertEquals(1, dest.listFiles(currentDirectoryFilenameFilter).length);
+        assertEquals(0, dest.getParentFile().listFiles(currentDirectoryFilenameFilter).length);        
+    }
+    
    /**
     * Test a class path resource for existence.
     */
--- a/jetty-util/src/test/java/org/eclipse/jetty/util/resource/TestData/extract.zip
+++ b/jetty-util/src/test/java/org/eclipse/jetty/util/resource/TestData/extract.zip