mirror of
https://github.com/plan-player-analytics/Plan.git
synced 2024-12-24 10:11:53 +01:00
Fix customized resource lookup Path Traversal vulnerability
Affects issues: - Fixed #2830
This commit is contained in:
parent
205692af65
commit
bd85f10c55
@ -156,6 +156,9 @@ public class PlanFiles implements SubSystem {
|
||||
Path dir = config.get().getResourceSettings().getCustomizationDirectory();
|
||||
if (dir.toFile().exists() && dir.toFile().isDirectory()) {
|
||||
Path asPath = dir.resolve(resourceName);
|
||||
if (!asPath.startsWith(dir)) {
|
||||
return Optional.empty();
|
||||
}
|
||||
File found = asPath.toFile();
|
||||
if (found.exists()) {
|
||||
return Optional.of(found);
|
||||
|
Loading…
Reference in New Issue
Block a user