Repository: ranger Updated Branches: refs/heads/master c324ece11 -> 7019d3c6b
RANGER-1450 - Avoid path traversal attacks when reading XML files Signed-off-by: Colm O hEigeartaigh <cohei...@apache.org> Project: http://git-wip-us.apache.org/repos/asf/ranger/repo Commit: http://git-wip-us.apache.org/repos/asf/ranger/commit/79da7d92 Tree: http://git-wip-us.apache.org/repos/asf/ranger/tree/79da7d92 Diff: http://git-wip-us.apache.org/repos/asf/ranger/diff/79da7d92 Branch: refs/heads/master Commit: 79da7d92721bb48b6fe96444cfb2c801a524a8a7 Parents: c324ece Author: Colm O hEigeartaigh <cohei...@apache.org> Authored: Mon Mar 13 10:37:41 2017 +0000 Committer: Colm O hEigeartaigh <cohei...@apache.org> Committed: Tue May 9 14:20:30 2017 +0100 ---------------------------------------------------------------------- .../src/main/java/org/apache/ranger/plugin/util/XMLUtils.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/ranger/blob/79da7d92/agents-common/src/main/java/org/apache/ranger/plugin/util/XMLUtils.java ---------------------------------------------------------------------- diff --git a/agents-common/src/main/java/org/apache/ranger/plugin/util/XMLUtils.java b/agents-common/src/main/java/org/apache/ranger/plugin/util/XMLUtils.java index 5eb61ab..3b674f8 100644 --- a/agents-common/src/main/java/org/apache/ranger/plugin/util/XMLUtils.java +++ b/agents-common/src/main/java/org/apache/ranger/plugin/util/XMLUtils.java @@ -103,7 +103,12 @@ public class XMLUtils { InputStream ret = null; - File f = new File(path); + // Guard against path traversal attacks + String sanitizedPath = new File(path).getName(); + if ("".equals(sanitizedPath)) { + return null; + } + File f = new File(sanitizedPath); if (f.exists()) { ret = new FileInputStream(f);