This is an automated email from the ASF dual-hosted git repository. vavrtom pushed a commit to branch main in repository https://gitbox.apache.org/repos/asf/qpid-broker-j.git
The following commit(s) were added to refs/heads/main by this push: new 1f93cf1382 QPID-8600: [Broker-J] File path validation in management-http plugin (#140) 1f93cf1382 is described below commit 1f93cf1382839f7304d81c3848b4da6ef6c75020 Author: Daniil Kirilyuk <daniel.kiril...@gmail.com> AuthorDate: Fri Sep 23 11:06:34 2022 +0200 QPID-8600: [Broker-J] File path validation in management-http plugin (#140) * QPID-8600: [Broker-J] File path validation in management-http plugin * QPID-8600: [Broker-J] Restored new line to end of file Co-authored-by: vavrtom <vavricka.to...@gmail.com> --- .../management/plugin/GunzipOutputStream.java | 9 ++-- .../management/plugin/servlet/FileServlet.java | 50 ++++++++-------------- 2 files changed, 22 insertions(+), 37 deletions(-) diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java index cf98a2b501..25364fae83 100644 --- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java +++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/GunzipOutputStream.java @@ -47,9 +47,9 @@ public class GunzipOutputStream extends InflaterOutputStream } @Override - public void write(final byte data[], final int offset, final int length) throws IOException + public void write (final byte[] data, final int offset, final int length) throws IOException { - try(ByteArrayInputStream bais = new ByteArrayInputStream(data, offset, length)) + try (ByteArrayInputStream bais = new ByteArrayInputStream(data, offset, length)) { int b; while ((b = bais.read()) != -1) @@ -92,7 +92,6 @@ public class GunzipOutputStream extends InflaterOutputStream { _trailer.verify(_crc); _streamState = StreamState.DONE; - continue; } } } @@ -109,7 +108,7 @@ public class GunzipOutputStream extends InflaterOutputStream ID1, ID2, CM, FLG, MTIME_0, MTIME_1, MTIME_2, MTIME_3, XFL, OS, XLEN_0, XLEN_1, FEXTRA, FNAME, FCOMMENT, CRC16_0, CRC16_1, DONE } - private class GZIPHeader + private static class GZIPHeader { private static final int GZIP_MAGIC_1 = 0x1F; private static final int GZIP_MAGIC_2 = 0x8B; @@ -256,7 +255,7 @@ public class GunzipOutputStream extends InflaterOutputStream { private static final int TRAILER_SIZE = 8; private static final long SIZE_MASK = 0xffffffffL; - private byte[] _trailerBytes = new byte[TRAILER_SIZE]; + private final byte[] _trailerBytes = new byte[TRAILER_SIZE]; private int _receivedByteIndex; private boolean trailerByte(int b) throws IOException diff --git a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java index 0dbcaac458..155dc5e98d 100644 --- a/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java +++ b/broker-plugins/management-http/src/main/java/org/apache/qpid/server/management/plugin/servlet/FileServlet.java @@ -41,11 +41,10 @@ public class FileServlet extends HttpServlet private static final String RESOURCES_PREFIX = "/resources"; private static final Map<String, String> CONTENT_TYPES; - + static { - - Map<String, String> contentTypes = new HashMap<String, String>(); + final Map<String, String> contentTypes = new HashMap<>(); contentTypes.put("js", "application/javascript"); contentTypes.put("html", "text/html"); contentTypes.put("css", "text/css"); @@ -65,17 +64,18 @@ public class FileServlet extends HttpServlet this(RESOURCES_PREFIX, false); } - public FileServlet(String resourcePathPrefix, boolean usePathInfo) + public FileServlet(final String resourcePathPrefix, final boolean usePathInfo) { _resourcePathPrefix = resourcePathPrefix; _usePathInfo = usePathInfo; } @Override - protected void doGet(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException + protected void doGet(final HttpServletRequest request, + final HttpServletResponse response) throws ServletException, IOException { - String filename = null; - if(_usePathInfo) + String filename; + if (_usePathInfo) { filename = request.getPathInfo(); } @@ -84,48 +84,34 @@ public class FileServlet extends HttpServlet filename = request.getServletPath(); } - if(filename.contains(".")) + if (filename.contains(".")) { - String suffix = filename.substring(filename.lastIndexOf('.')+1); - String contentType = CONTENT_TYPES.get(suffix); - if(contentType != null) + final String suffix = filename.substring(filename.lastIndexOf('.')+1); + final String contentType = CONTENT_TYPES.get(suffix); + if (contentType != null) { response.setContentType(contentType); } } - URL resourceURL = getClass().getResource(_resourcePathPrefix + filename); - if(resourceURL != null) + final URL resourceURL = getClass().getResource(_resourcePathPrefix + filename); + if (resourceURL != null && !filename.contains("..")) { response.setStatus(HttpServletResponse.SC_OK); - InputStream fileInput = resourceURL.openStream(); - try + try (final InputStream fileInput = resourceURL.openStream(); + final OutputStream output = HttpManagementUtil.getOutputStream(request, response)) { byte[] buffer = new byte[1024]; - int read = 0; - OutputStream output = HttpManagementUtil.getOutputStream(request, response); - try - { - while((read = fileInput.read(buffer)) != -1) - { - output.write(buffer, 0, read); - } - } - finally + int read; + while ((read = fileInput.read(buffer)) != -1) { - output.close(); + output.write(buffer, 0, read); } } - finally - { - fileInput.close(); - } } else { response.sendError(HttpServletResponse.SC_NOT_FOUND, "unknown file"); } - } - } --------------------------------------------------------------------- To unsubscribe, e-mail: commits-unsubscr...@qpid.apache.org For additional commands, e-mail: commits-h...@qpid.apache.org