Fix Security Exploit

src/main/java/org/dynmap/web/handlers/FilesystemHandler.java

@@ -6,6 +6,7 @@ import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.io.InputStream;
 
+import org.dynmap.Log;
 import org.dynmap.utils.FileLockManager;
 import org.dynmap.web.HttpField;
 import org.dynmap.web.HttpRequest;
@@ -23,16 +24,20 @@ public class FilesystemHandler extends FileHandler {
     protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
         File file = new File(root, path);
         FileLockManager.getReadLock(file);
-        if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {
+        try {
-            FileInputStream result;
+            if (file.getCanonicalPath().startsWith(root.getAbsolutePath()) && file.isFile()) {
-            try {
+                FileInputStream result;
-                result = new FileInputStream(file);
+                try {
-            } catch (FileNotFoundException e) {
+                    result = new FileInputStream(file);
-                FileLockManager.releaseReadLock(file);
+                } catch (FileNotFoundException e) {
-                return null;
+                    FileLockManager.releaseReadLock(file);
+                    return null;
+                }
+                response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
+                return result;
             }
-            response.fields.put(HttpField.ContentLength, Long.toString(file.length()));
+        } catch(IOException ex) {
-            return result;
+            Log.severe("Unable to get canoical path of requested file.", ex);
         }
         FileLockManager.releaseReadLock(file);
         return null;