svn commit: r1749800 - /maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java

Wed, 22 Jun 2016 17:34:06 -0700 

Author: schulte
Date: Thu Jun 23 00:33:34 2016
New Revision: 1749800

URL: http://svn.apache.org/viewvc?rev=1749800&view=rev
Log:
[MSHARED-563] Directory traversal in org.apache.maven.shared.utils.Expand


Modified:
    
maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java

Modified: 
maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java
URL: 
http://svn.apache.org/viewvc/maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java?rev=1749800&r1=1749799&r2=1749800&view=diff
==============================================================================
--- 
maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java
 (original)
+++ 
maven/shared/trunk/maven-shared-utils/src/main/java/org/apache/maven/shared/utils/Expand.java
 Thu Jun 23 00:33:34 2016
@@ -170,6 +170,11 @@ class Expand
     {
         File targetFile = new File( destDir, entryName );
 
+        if ( !targetFile.getAbsolutePath().startsWith( 
destDir.getAbsolutePath() ) )
+        {
+            throw new IOException( "Entry '" + entryName + "' outside the 
target directory." );
+        }
+
         // if overwrite is specified and the file type
         // of the existing file does not match, then delete it
         if ( overwrite && targetFile.exists() && targetFile.isDirectory() != 
isDirectory )

Reply via email to