This is an automated email from the ASF dual-hosted git repository. lhotari pushed a commit to branch branch-4.15 in repository https://gitbox.apache.org/repos/asf/bookkeeper.git
commit 4baa901908bbd15028110af083d5ba248ee2f11d Author: Hang Chen <[email protected]> AuthorDate: Mon Mar 4 12:08:41 2024 +0800 Fix uncontrolled data used in path expression (#4221) * Fix uncontrolled data used in path expression * update code * update code (cherry picked from commit 34d85153f7387a5e1012f31d694ce8956eeed275) --- .../src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java index 8d1351207e..343b7178c3 100644 --- a/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java +++ b/bookkeeper-server/src/main/java/org/apache/bookkeeper/util/LocalBookKeeper.java @@ -59,6 +59,7 @@ import org.apache.bookkeeper.shims.zk.ZooKeeperServerShimFactory; import org.apache.bookkeeper.stats.NullStatsLogger; import org.apache.bookkeeper.zookeeper.ZooKeeperClient; import org.apache.commons.io.FileUtils; +import org.apache.commons.lang3.StringUtils; import org.apache.zookeeper.CreateMode; import org.apache.zookeeper.KeeperException; import org.apache.zookeeper.Op; @@ -334,6 +335,13 @@ public class LocalBookKeeper implements AutoCloseable { * @throws IOException */ private void serializeLocalBookieConfig(ServerConfiguration localBookieConfig, String fileName) throws IOException { + if (StringUtils.isBlank(fileName) + || fileName.contains("..") + || fileName.contains("/") + || fileName.contains("\\")) { + throw new IllegalArgumentException("Invalid filename: " + fileName); + } + File localBookieConfFile = new File(localBookiesConfigDir, fileName); if (localBookieConfFile.exists() && !localBookieConfFile.delete()) { throw new IOException(
