diff options
Diffstat (limited to 'bundles/org.eclipse.equinox.p2.jarprocessor/src/org')
2 files changed, 13 insertions, 3 deletions
diff --git a/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/equinox/internal/p2/jarprocessor/ZipProcessor.java b/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/equinox/internal/p2/jarprocessor/ZipProcessor.java index 0b41efe81..92879e84b 100644 --- a/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/equinox/internal/p2/jarprocessor/ZipProcessor.java +++ b/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/equinox/internal/p2/jarprocessor/ZipProcessor.java @@ -83,7 +83,7 @@ public class ZipProcessor { File extractedFile = null; if (entry.getName().endsWith(extension) && (pack || sign || repack || options.unpack)) { - extractedFile = new File(tempDir, name); + extractedFile = createSubPathFile(tempDir, name); parent = extractedFile.getParentFile(); if (!parent.exists()) parent.mkdirs(); @@ -192,6 +192,16 @@ public class ZipProcessor { } + public static File createSubPathFile(File root, String subPath) throws IOException { + File result = new File(root, subPath); + String resultCanonical = result.getCanonicalPath(); + String rootCanonical = root.getCanonicalPath(); + if (!resultCanonical.startsWith(rootCanonical + File.separator) && !resultCanonical.equals(rootCanonical)) { + throw new IOException("Invalid path: " + subPath); //$NON-NLS-1$ + } + return result; + } + private void initialize(ZipFile zip) { ZipEntry entry = zip.getEntry("pack.properties"); //$NON-NLS-1$ properties = new Properties(); diff --git a/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/internal/provisional/equinox/p2/jarprocessor/JarProcessor.java b/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/internal/provisional/equinox/p2/jarprocessor/JarProcessor.java index a73cf3b8c..fcc6a4d53 100644 --- a/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/internal/provisional/equinox/p2/jarprocessor/JarProcessor.java +++ b/bundles/org.eclipse.equinox.p2.jarprocessor/src/org/eclipse/internal/provisional/equinox/p2/jarprocessor/JarProcessor.java @@ -98,7 +98,7 @@ public class JarProcessor { JarEntry newEntry = null; if (replacements.containsKey(entry.getName())) { String name = replacements.get(entry.getName()); - replacement = new File(directory, name); + replacement = ZipProcessor.createSubPathFile(directory, name); if (name != null) { if (replacement.exists()) { try { @@ -196,7 +196,7 @@ public class JarProcessor { System.out.println("Processing nested file: " + name); //$NON-NLS-1$ } //extract entry to temp directory - File extracted = new File(tempDir, name); + File extracted = ZipProcessor.createSubPathFile(tempDir, name); File parentDir = extracted.getParentFile(); if (!parentDir.exists()) parentDir.mkdirs(); |