Repository: commons-compress Updated Branches: refs/heads/master 048b701a9 -> b5071c2f8
COMPRESS-351 CPIO InputStream sanitizes file names now Project: http://git-wip-us.apache.org/repos/asf/commons-compress/repo Commit: http://git-wip-us.apache.org/repos/asf/commons-compress/commit/b5071c2f Tree: http://git-wip-us.apache.org/repos/asf/commons-compress/tree/b5071c2f Diff: http://git-wip-us.apache.org/repos/asf/commons-compress/diff/b5071c2f Branch: refs/heads/master Commit: b5071c2f8bcaa96cc9efb0214b2896cc26996ca9 Parents: 048b701 Author: Stefan Bodewig <[email protected]> Authored: Tue Jun 7 18:46:10 2016 +0200 Committer: Stefan Bodewig <[email protected]> Committed: Tue Jun 7 18:46:10 2016 +0200 ---------------------------------------------------------------------- src/changes/changes.xml | 7 +++++++ .../compress/archivers/cpio/CpioArchiveInputStream.java | 12 +++++++++--- 2 files changed, 16 insertions(+), 3 deletions(-) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/changes/changes.xml ---------------------------------------------------------------------- diff --git a/src/changes/changes.xml b/src/changes/changes.xml index 4a46e25..57d76b5 100644 --- a/src/changes/changes.xml +++ b/src/changes/changes.xml @@ -74,6 +74,13 @@ The <action> type attribute can be add,update,fix,remove. BZip2CompressorOutputStream#finish is now synchronized to avoid a race condition with the finalize method. </action> + <action issue="COMPRESS-351" type="update" date="2016-06-07"> + ZipArchiveInputStream and CpioArchiveInputStream could throw + exceptions who's messages contained potentially corrupt entry + names read from a broken archive. They will now sanitize the + names by replacing unprintable characters and restricting the + length to 255 characters. + </action> </release> <release version="1.11" date="2016-04-06" description="Release 1.11"> http://git-wip-us.apache.org/repos/asf/commons-compress/blob/b5071c2f/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java ---------------------------------------------------------------------- diff --git a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java index 8c69bce..6e4d09e 100644 --- a/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java +++ b/src/main/java/org/apache/commons/compress/archivers/cpio/CpioArchiveInputStream.java @@ -384,7 +384,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements final String name = readCString((int) namesize); ret.setName(name); if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){ - throw new IOException("Mode 0 only allowed in the trailer. Found entry name: "+name + " Occured at byte: " + getBytesRead()); + throw new IOException("Mode 0 only allowed in the trailer. Found entry name: " + + ArchiveUtils.sanitize(name) + + " Occured at byte: " + getBytesRead()); } skip(ret.getHeaderPadCount()); @@ -410,7 +412,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements final String name = readCString((int) namesize); ret.setName(name); if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){ - throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+ name + " Occured at byte: " + getBytesRead()); + throw new IOException("Mode 0 only allowed in the trailer. Found entry: " + + ArchiveUtils.sanitize(name) + + " Occured at byte: " + getBytesRead()); } return ret; @@ -436,7 +440,9 @@ public class CpioArchiveInputStream extends ArchiveInputStream implements final String name = readCString((int) namesize); ret.setName(name); if (CpioUtil.fileType(mode) == 0 && !name.equals(CPIO_TRAILER)){ - throw new IOException("Mode 0 only allowed in the trailer. Found entry: "+name + "Occured at byte: " + getBytesRead()); + throw new IOException("Mode 0 only allowed in the trailer. Found entry: " + + ArchiveUtils.sanitize(name) + + "Occured at byte: " + getBytesRead()); } skip(ret.getHeaderPadCount());
