Disallow .. in file path. Also logging, imports

This commit is contained in:
zeeZ 2011-06-27 21:23:39 +08:00 committed by mikeprimm
parent d4f0161e14
commit 1bc275ea46
3 changed files with 12 additions and 12 deletions

View File

@ -1,24 +1,24 @@
package org.dynmap.regions;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.util.List;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.util.Collection;
import java.util.Map;
import java.util.HashSet;
import java.util.logging.Level;
import java.util.List;
import java.util.Map;
import org.bukkit.util.config.Configuration;
import org.dynmap.ConfigurationNode;
import org.dynmap.Log;
import org.dynmap.web.HttpRequest;
import org.dynmap.web.HttpResponse;
import org.dynmap.web.Json;
import org.dynmap.web.handlers.FileHandler;
import java.io.ByteArrayOutputStream;
import java.io.ByteArrayInputStream;
public class RegionHandler extends FileHandler {
private ConfigurationNode regions;
public RegionHandler(ConfigurationNode regions) {
@ -81,9 +81,9 @@ public class RegionHandler extends FileHandler {
fos.close();
return new ByteArrayInputStream(fos.toByteArray());
} catch (FileNotFoundException ex) {
log.log(Level.SEVERE, "Exception while writing JSON-file.", ex);
Log.severe("Exception while writing JSON-file.", ex);
} catch (IOException ioe) {
log.log(Level.SEVERE, "Exception while writing JSON-file.", ioe);
Log.severe("Exception while writing JSON-file.", ioe);
}
return null;
}

View File

@ -6,7 +6,6 @@ import java.io.OutputStream;
import java.util.HashMap;
import java.util.LinkedList;
import java.util.Map;
import java.util.logging.Logger;
import org.dynmap.web.HttpField;
import org.dynmap.web.HttpHandler;
@ -15,8 +14,6 @@ import org.dynmap.web.HttpResponse;
import org.dynmap.web.HttpStatus;
public abstract class FileHandler implements HttpHandler {
protected static final Logger log = Logger.getLogger("Minecraft");
protected static final String LOG_PREFIX = "[dynmap] ";
//BUG-this breaks re-entrancy of this handler, which is called from multiple threads (one per request)
//private byte[] readBuffer = new byte[40960];
//Replace with pool of buffers
@ -59,7 +56,7 @@ public abstract class FileHandler implements HttpHandler {
if (qmark >= 0)
path = path.substring(0, qmark);
if (path.startsWith("/") || path.startsWith("."))
if (path.startsWith("/") || path.startsWith(".") || path.contains(".."))
return null;
if (path.length() == 0)
path = getDefaultFilename(path);

View File

@ -21,6 +21,9 @@ public class FilesystemHandler extends FileHandler {
}
@Override
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
if(path == null)
return null;
File file = new File(root, path);
FileLockManager.getReadLock(file);
if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {