From 1bc275ea46e50581f87347a7736d432b0e9b2b3a Mon Sep 17 00:00:00 2001 From: zeeZ Date: Mon, 27 Jun 2011 21:23:39 +0800 Subject: [PATCH] Disallow .. in file path. Also logging, imports --- .../java/org/dynmap/regions/RegionHandler.java | 16 ++++++++-------- .../org/dynmap/web/handlers/FileHandler.java | 5 +---- .../dynmap/web/handlers/FilesystemHandler.java | 3 +++ 3 files changed, 12 insertions(+), 12 deletions(-) diff --git a/src/main/java/org/dynmap/regions/RegionHandler.java b/src/main/java/org/dynmap/regions/RegionHandler.java index 01ecd248..212233c4 100644 --- a/src/main/java/org/dynmap/regions/RegionHandler.java +++ b/src/main/java/org/dynmap/regions/RegionHandler.java @@ -1,24 +1,24 @@ package org.dynmap.regions; +import java.io.ByteArrayInputStream; +import java.io.ByteArrayOutputStream; import java.io.File; -import java.util.List; import java.io.FileNotFoundException; import java.io.IOException; import java.io.InputStream; import java.util.Collection; -import java.util.Map; import java.util.HashSet; -import java.util.logging.Level; +import java.util.List; +import java.util.Map; + import org.bukkit.util.config.Configuration; import org.dynmap.ConfigurationNode; +import org.dynmap.Log; import org.dynmap.web.HttpRequest; import org.dynmap.web.HttpResponse; import org.dynmap.web.Json; import org.dynmap.web.handlers.FileHandler; -import java.io.ByteArrayOutputStream; -import java.io.ByteArrayInputStream; - public class RegionHandler extends FileHandler { private ConfigurationNode regions; public RegionHandler(ConfigurationNode regions) { @@ -81,9 +81,9 @@ public class RegionHandler extends FileHandler { fos.close(); return new ByteArrayInputStream(fos.toByteArray()); } catch (FileNotFoundException ex) { - log.log(Level.SEVERE, "Exception while writing JSON-file.", ex); + Log.severe("Exception while writing JSON-file.", ex); } catch (IOException ioe) { - log.log(Level.SEVERE, "Exception while writing JSON-file.", ioe); + Log.severe("Exception while writing JSON-file.", ioe); } return null; } diff --git a/src/main/java/org/dynmap/web/handlers/FileHandler.java b/src/main/java/org/dynmap/web/handlers/FileHandler.java index 950b7df9..882ef613 100644 --- a/src/main/java/org/dynmap/web/handlers/FileHandler.java +++ b/src/main/java/org/dynmap/web/handlers/FileHandler.java @@ -6,7 +6,6 @@ import java.io.OutputStream; import java.util.HashMap; import java.util.LinkedList; import java.util.Map; -import java.util.logging.Logger; import org.dynmap.web.HttpField; import org.dynmap.web.HttpHandler; @@ -15,8 +14,6 @@ import org.dynmap.web.HttpResponse; import org.dynmap.web.HttpStatus; public abstract class FileHandler implements HttpHandler { - protected static final Logger log = Logger.getLogger("Minecraft"); - protected static final String LOG_PREFIX = "[dynmap] "; //BUG-this breaks re-entrancy of this handler, which is called from multiple threads (one per request) //private byte[] readBuffer = new byte[40960]; //Replace with pool of buffers @@ -59,7 +56,7 @@ public abstract class FileHandler implements HttpHandler { if (qmark >= 0) path = path.substring(0, qmark); - if (path.startsWith("/") || path.startsWith(".")) + if (path.startsWith("/") || path.startsWith(".") || path.contains("..")) return null; if (path.length() == 0) path = getDefaultFilename(path); diff --git a/src/main/java/org/dynmap/web/handlers/FilesystemHandler.java b/src/main/java/org/dynmap/web/handlers/FilesystemHandler.java index 50a82e25..da12f558 100644 --- a/src/main/java/org/dynmap/web/handlers/FilesystemHandler.java +++ b/src/main/java/org/dynmap/web/handlers/FilesystemHandler.java @@ -21,6 +21,9 @@ public class FilesystemHandler extends FileHandler { } @Override protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) { + if(path == null) + return null; + File file = new File(root, path); FileLockManager.getReadLock(file); if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {