Upstream/dynmap
1
0
Fork 0
mirror of https://github.com/webbukkit/dynmap.git synced 2024-11-24 19:25:15 +01:00
Code Issues Projects Releases Wiki Activity

Fix Security Exploit

Browse Source
This commit is contained in:
Jason Booth 2011-06-27 06:57:21 -05:00 committed by FrozenCow
parent 47620fe79e
commit d3b621f90b
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

23
src/main/java/org/dynmap/web/handlers/FilesystemHandler.java
View File

@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import org.dynmap.Log;
import org.dynmap.utils.FileLockManager;
import org.dynmap.web.HttpField;
import org.dynmap.web.HttpRequest;
@ -23,16 +24,20 @@ public class FilesystemHandler extends FileHandler {
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
File file = new File(root, path);
FileLockManager.getReadLock(file);
if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {
FileInputStream result;
try {
result = new FileInputStream(file);
} catch (FileNotFoundException e) {
FileLockManager.releaseReadLock(file);
return null;
try {
if (file.getCanonicalPath().startsWith(root.getAbsolutePath()) && file.isFile()) {
FileInputStream result;
try {
result = new FileInputStream(file);
} catch (FileNotFoundException e) {
FileLockManager.releaseReadLock(file);
return null;
}
response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
return result;
}
response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
return result;
} catch(IOException ex) {
Log.severe("Unable to get canoical path of requested file.", ex);
}
FileLockManager.releaseReadLock(file);
return null;