Upstream/dynmap
1
0
Fork 0
mirror of https://github.com/webbukkit/dynmap.git synced 2024-11-28 13:15:30 +01:00
Code Issues Projects Releases Wiki Activity

Fix Security Exploit

Browse Source
This commit is contained in:
Jason Booth 2011-06-27 06:57:21 -05:00 committed by FrozenCow
parent 47620fe79e
commit d3b621f90b
1 changed files with 14 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/main/java/org/dynmap/web/handlers/FilesystemHandler.java
View File

@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
import java.io.IOException; import java.io.IOException;
import java.io.InputStream; import java.io.InputStream;
import org.dynmap.Log;
import org.dynmap.utils.FileLockManager; import org.dynmap.utils.FileLockManager;
import org.dynmap.web.HttpField; import org.dynmap.web.HttpField;
import org.dynmap.web.HttpRequest; import org.dynmap.web.HttpRequest;
@ -23,7 +24,8 @@ public class FilesystemHandler extends FileHandler {
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) { protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
File file = new File(root, path); File file = new File(root, path);
FileLockManager.getReadLock(file); FileLockManager.getReadLock(file);
if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) { try {
if (file.getCanonicalPath().startsWith(root.getAbsolutePath()) && file.isFile()) {
FileInputStream result; FileInputStream result;
try { try {
result = new FileInputStream(file); result = new FileInputStream(file);
@ -34,6 +36,9 @@ public class FilesystemHandler extends FileHandler {
response.fields.put(HttpField.ContentLength, Long.toString(file.length())); response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
return result; return result;
} }
} catch(IOException ex) {
Log.severe("Unable to get canoical path of requested file.", ex);
}
FileLockManager.releaseReadLock(file); FileLockManager.releaseReadLock(file);
return null; return null;
} }