portals-jetspeed-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From tay...@apache.org
Subject svn commit: r1724717 - /portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
Date Fri, 15 Jan 2016 01:13:21 GMT
Author: taylor
Date: Fri Jan 15 01:13:20 2016
New Revision: 1724717

URL: http://svn.apache.org/viewvc?rev=1724717&view=rev
Log:
denying all non-relative zip file paths during Site Manager import

Modified:
    portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java

Modified: portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
URL: http://svn.apache.org/viewvc/portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java?rev=1724717&r1=1724716&r2=1724717&view=diff
==============================================================================
--- portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
(original)
+++ portals/jetspeed-2/applications/j2-admin/trunk/src/main/java/org/apache/jetspeed/portlets/site/PortalSiteManager.java
Fri Jan 15 01:13:20 2016
@@ -1437,15 +1437,17 @@ public class PortalSiteManager extends A
                                         success = true;
                                     } else if (fileType.equalsIgnoreCase("zip"))
                                     {
-                                        unzipfile(fileName, StringUtils.removeEnd(usrFolder,
pathSeparator), pathSeparator);
-                                        folder = getServiceLocator()
-                                                .getCastorPageManager()
-                                                .getFolder(userName);
-                                        importFolders(
-                                                pageManager,
-                                                getServiceLocator()
-                                                        .getCastorPageManager(),
-                                                folder, userName, destPath, copyIds);
+                                        int count = unzipfile(fileName, StringUtils.removeEnd(usrFolder,
pathSeparator), pathSeparator);
+                                        if (count > 0) {
+                                            folder = getServiceLocator()
+                                                    .getCastorPageManager()
+                                                    .getFolder(userName);
+                                            importFolders(
+                                                    pageManager,
+                                                    getServiceLocator()
+                                                            .getCastorPageManager(),
+                                                    folder, userName, destPath, copyIds);
+                                        }
                                         success = true;
                                     }
                                 }
@@ -3738,12 +3740,12 @@ public class PortalSiteManager extends A
         out.close();
     }
 
-    private boolean unzipfile(String file, String destination, String sepreator)
+    private int unzipfile(String file, String destination, String sepreator)
     {
         Enumeration entries;
         String filePath = "";
         ZipFile zipFile = null;
-        
+        int count = 0;
         try
         {
             zipFile = new ZipFile(destination + sepreator + file);
@@ -3751,6 +3753,10 @@ public class PortalSiteManager extends A
             while (entries.hasMoreElements())
             {
                 ZipEntry entry = (ZipEntry) entries.nextElement();
+                if (entry.getName().indexOf("..") > -1 || entry.getName().startsWith("/"))
{
+                    log.error("Zip Entry has invalid path: " + entry.getName() );
+                    continue;
+                }
                 filePath = destination + sepreator + entry.getName();
                 createPath(filePath);
                 
@@ -3762,6 +3768,7 @@ public class PortalSiteManager extends A
                     input = zipFile.getInputStream(entry);
                     output = new FileOutputStream(filePath);
                     IOUtils.copy(input, output);
+                    count++;
                 }
                 finally
                 {
@@ -3769,12 +3776,10 @@ public class PortalSiteManager extends A
                     IOUtils.closeQuietly(input);
                 }
             }
-            return true;
         }
         catch (IOException ioe)
         {
             log.error("Unexpected IO exception.", ioe);
-            return false;
         }
         finally
         {
@@ -3789,6 +3794,7 @@ public class PortalSiteManager extends A
                 }
             }
         }
+        return count;
     }
 
     private void createPath(String filePath)



---------------------------------------------------------------------
To unsubscribe, e-mail: jetspeed-dev-unsubscribe@portals.apache.org
For additional commands, e-mail: jetspeed-dev-help@portals.apache.org


Mime
View raw message