mirror of
https://github.com/webbukkit/dynmap.git
synced 2024-12-26 10:37:44 +01:00
Disallow .. in file path. Also logging, imports
This commit is contained in:
parent
d4f0161e14
commit
1bc275ea46
@ -1,24 +1,24 @@
|
||||
package org.dynmap.regions;
|
||||
|
||||
import java.io.ByteArrayInputStream;
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.File;
|
||||
import java.util.List;
|
||||
import java.io.FileNotFoundException;
|
||||
import java.io.IOException;
|
||||
import java.io.InputStream;
|
||||
import java.util.Collection;
|
||||
import java.util.Map;
|
||||
import java.util.HashSet;
|
||||
import java.util.logging.Level;
|
||||
import java.util.List;
|
||||
import java.util.Map;
|
||||
|
||||
import org.bukkit.util.config.Configuration;
|
||||
import org.dynmap.ConfigurationNode;
|
||||
import org.dynmap.Log;
|
||||
import org.dynmap.web.HttpRequest;
|
||||
import org.dynmap.web.HttpResponse;
|
||||
import org.dynmap.web.Json;
|
||||
import org.dynmap.web.handlers.FileHandler;
|
||||
|
||||
import java.io.ByteArrayOutputStream;
|
||||
import java.io.ByteArrayInputStream;
|
||||
|
||||
public class RegionHandler extends FileHandler {
|
||||
private ConfigurationNode regions;
|
||||
public RegionHandler(ConfigurationNode regions) {
|
||||
@ -81,9 +81,9 @@ public class RegionHandler extends FileHandler {
|
||||
fos.close();
|
||||
return new ByteArrayInputStream(fos.toByteArray());
|
||||
} catch (FileNotFoundException ex) {
|
||||
log.log(Level.SEVERE, "Exception while writing JSON-file.", ex);
|
||||
Log.severe("Exception while writing JSON-file.", ex);
|
||||
} catch (IOException ioe) {
|
||||
log.log(Level.SEVERE, "Exception while writing JSON-file.", ioe);
|
||||
Log.severe("Exception while writing JSON-file.", ioe);
|
||||
}
|
||||
return null;
|
||||
}
|
||||
|
@ -6,7 +6,6 @@ import java.io.OutputStream;
|
||||
import java.util.HashMap;
|
||||
import java.util.LinkedList;
|
||||
import java.util.Map;
|
||||
import java.util.logging.Logger;
|
||||
|
||||
import org.dynmap.web.HttpField;
|
||||
import org.dynmap.web.HttpHandler;
|
||||
@ -15,8 +14,6 @@ import org.dynmap.web.HttpResponse;
|
||||
import org.dynmap.web.HttpStatus;
|
||||
|
||||
public abstract class FileHandler implements HttpHandler {
|
||||
protected static final Logger log = Logger.getLogger("Minecraft");
|
||||
protected static final String LOG_PREFIX = "[dynmap] ";
|
||||
//BUG-this breaks re-entrancy of this handler, which is called from multiple threads (one per request)
|
||||
//private byte[] readBuffer = new byte[40960];
|
||||
//Replace with pool of buffers
|
||||
@ -59,7 +56,7 @@ public abstract class FileHandler implements HttpHandler {
|
||||
if (qmark >= 0)
|
||||
path = path.substring(0, qmark);
|
||||
|
||||
if (path.startsWith("/") || path.startsWith("."))
|
||||
if (path.startsWith("/") || path.startsWith(".") || path.contains(".."))
|
||||
return null;
|
||||
if (path.length() == 0)
|
||||
path = getDefaultFilename(path);
|
||||
|
@ -21,6 +21,9 @@ public class FilesystemHandler extends FileHandler {
|
||||
}
|
||||
@Override
|
||||
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
|
||||
if(path == null)
|
||||
return null;
|
||||
|
||||
File file = new File(root, path);
|
||||
FileLockManager.getReadLock(file);
|
||||
if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {
|
||||
|
Loading…
Reference in New Issue
Block a user