Author: taylor
Date: Fri Jan 15 01:13:20 2016
New Revision: 1724717
URL: http://svn.apache.org/viewvc?rev=1724717&view=rev
Log:
denying all non-relative zip file paths during Site Manager import
Modified:
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
Modified:
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
URL:
http://svn.apache.org/viewvc/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java?rev=1724717&r1=1724716&r2=1724717&view=diff
==============================================================================
---
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
(original)
+++
portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
Fri Jan 15 01:13:20 2016
@@ -1437,15 +1437,17 @@ public class PortalSiteManager extends A
success = true;
} else if
(fileType.equalsIgnoreCase("zip"))
{
- unzipfile(fileName,
StringUtils.removeEnd(usrFolder, pathSeparator), pathSeparator);
- folder = getServiceLocator()
- .getCastorPageManager()
- .getFolder(userName);
- importFolders(
- pageManager,
- getServiceLocator()
-
.getCastorPageManager(),
- folder, userName, destPath,
copyIds);
+ int count = unzipfile(fileName,
StringUtils.removeEnd(usrFolder, pathSeparator), pathSeparator);
+ if (count > 0) {
+ folder = getServiceLocator()
+ .getCastorPageManager()
+ .getFolder(userName);
+ importFolders(
+ pageManager,
+ getServiceLocator()
+
.getCastorPageManager(),
+ folder, userName,
destPath, copyIds);
+ }
success = true;
}
}
@@ -3738,12 +3740,12 @@ public class PortalSiteManager extends A
out.close();
}
- private boolean unzipfile(String file, String destination, String
sepreator)
+ private int unzipfile(String file, String destination, String sepreator)
{
Enumeration entries;
String filePath = "";
ZipFile zipFile = null;
-
+ int count = 0;
try
{
zipFile = new ZipFile(destination + sepreator + file);
@@ -3751,6 +3753,10 @@ public class PortalSiteManager extends A
while (entries.hasMoreElements())
{
ZipEntry entry = (ZipEntry) entries.nextElement();
+ if (entry.getName().indexOf("..") > -1 ||
entry.getName().startsWith("/")) {
+ log.error("Zip Entry has invalid path: " + entry.getName()
);
+ continue;
+ }
filePath = destination + sepreator + entry.getName();
createPath(filePath);
@@ -3762,6 +3768,7 @@ public class PortalSiteManager extends A
input = zipFile.getInputStream(entry);
output = new FileOutputStream(filePath);
IOUtils.copy(input, output);
+ count++;
}
finally
{
@@ -3769,12 +3776,10 @@ public class PortalSiteManager extends A
IOUtils.closeQuietly(input);
}
}
- return true;
}
catch (IOException ioe)
{
log.error("Unexpected IO exception.", ioe);
- return false;
}
finally
{
@@ -3789,6 +3794,7 @@ public class PortalSiteManager extends A
}
}
}
+ return count;
}
private void createPath(String filePath)
---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscr...@portals.apache.org
For additional commands, e-mail: jetspeed-dev-h...@portals.apache.org
