mirror of
https://github.com/webbukkit/dynmap.git
synced 2024-11-09 12:10:59 +01:00
Fix Security Exploit
This commit is contained in:
parent
47620fe79e
commit
d3b621f90b
@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
|
|||||||
import java.io.IOException;
|
import java.io.IOException;
|
||||||
import java.io.InputStream;
|
import java.io.InputStream;
|
||||||
|
|
||||||
|
import org.dynmap.Log;
|
||||||
import org.dynmap.utils.FileLockManager;
|
import org.dynmap.utils.FileLockManager;
|
||||||
import org.dynmap.web.HttpField;
|
import org.dynmap.web.HttpField;
|
||||||
import org.dynmap.web.HttpRequest;
|
import org.dynmap.web.HttpRequest;
|
||||||
@ -23,16 +24,20 @@ public class FilesystemHandler extends FileHandler {
|
|||||||
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
|
protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
|
||||||
File file = new File(root, path);
|
File file = new File(root, path);
|
||||||
FileLockManager.getReadLock(file);
|
FileLockManager.getReadLock(file);
|
||||||
if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {
|
try {
|
||||||
FileInputStream result;
|
if (file.getCanonicalPath().startsWith(root.getAbsolutePath()) && file.isFile()) {
|
||||||
try {
|
FileInputStream result;
|
||||||
result = new FileInputStream(file);
|
try {
|
||||||
} catch (FileNotFoundException e) {
|
result = new FileInputStream(file);
|
||||||
FileLockManager.releaseReadLock(file);
|
} catch (FileNotFoundException e) {
|
||||||
return null;
|
FileLockManager.releaseReadLock(file);
|
||||||
|
return null;
|
||||||
|
}
|
||||||
|
response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
|
||||||
|
return result;
|
||||||
}
|
}
|
||||||
response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
|
} catch(IOException ex) {
|
||||||
return result;
|
Log.severe("Unable to get canoical path of requested file.", ex);
|
||||||
}
|
}
|
||||||
FileLockManager.releaseReadLock(file);
|
FileLockManager.releaseReadLock(file);
|
||||||
return null;
|
return null;
|
||||||
|
Loading…
Reference in New Issue
Block a user