diff options
author | Thomas Watson | 2022-01-12 18:07:08 +0000 |
---|---|---|
committer | Thomas Watson | 2022-01-12 20:25:49 +0000 |
commit | d74e6eaad4e361f8636aa57ab382cabbd97d91c7 (patch) | |
tree | 53734859c3b18efdafc921111188dc1fd41ee5b6 | |
parent | 1756cbc8fcfebfb3d0644b6cdfaaddd4ea0065d4 (diff) | |
download | rt.equinox.framework-Y20220118-0600.tar.gz rt.equinox.framework-Y20220118-0600.tar.xz rt.equinox.framework-Y20220118-0600.zip |
Bug 578189 - Calls to Bundle.getEntry can break out of a directoryY20220128-0600Y20220127-0600Y20220126-0600Y20220125-0600Y20220124-0600Y20220123-0600Y20220122-0600Y20220121-0600Y20220120-0600Y20220119-0600Y20220118-0600Y20220117-0600Y20220116-0600Y20220115-0600Y20220114-0600Y20220113-0900Y20220113-0600I20220127-1800I20220126-1800I20220126-0520I20220125-1800I20220125-0320I20220124-0510I20220123-1800I20220122-1800I20220121-1800I20220120-1800I20220120-0720I20220120-0220I20220119-1800I20220119-1440I20220119-1320I20220119-0540I20220118-1800I20220117-1800I20220116-1800I20220115-1800I20220114-1800I20220113-1800I20220112-1800
bundle content
Change-Id: Ib025f235f015d0a0d2e625101974dd693d765669
Signed-off-by: Thomas Watson <tjwatson@us.ibm.com>
Reviewed-on: https://git.eclipse.org/r/c/equinox/rt.equinox.framework/+/189554
3 files changed, 33 insertions, 11 deletions
diff --git a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java index bf986cd3e..c70961082 100644 --- a/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java +++ b/bundles/org.eclipse.osgi.tests/src/org/eclipse/osgi/tests/bundles/BundleResourceTests.java @@ -20,7 +20,10 @@ import junit.framework.TestSuite; import org.eclipse.core.tests.harness.CoreTest; import org.eclipse.osgi.service.environment.EnvironmentInfo; import org.eclipse.osgi.tests.OSGiTestsActivator; -import org.osgi.framework.*; +import org.osgi.framework.Bundle; +import org.osgi.framework.BundleException; +import org.osgi.framework.InvalidSyntaxException; +import org.osgi.framework.ServiceReference; public class BundleResourceTests extends CoreTest { private BundleInstaller installer; @@ -69,6 +72,12 @@ public class BundleResourceTests extends CoreTest { assertNotNull("Did not find resource!", paths); } + public void testBreakOutDirBundle() throws Exception { + Bundle bundle = installer.installBundle("test"); //$NON-NLS-1$ + URL result = bundle.getEntry("../testout/file.txt"); + assertNull("Found resource!", result); + } + public void testBug395274() throws Exception { ServiceReference<EnvironmentInfo> infoRef = OSGiTestsActivator.getContext().getServiceReference(EnvironmentInfo.class); EnvironmentInfo info = OSGiTestsActivator.getContext().getService(infoRef); diff --git a/bundles/org.eclipse.osgi.tests/test_files/resourcetests/bundles/testout/file.txt b/bundles/org.eclipse.osgi.tests/test_files/resourcetests/bundles/testout/file.txt new file mode 100644 index 000000000..8d043451c --- /dev/null +++ b/bundles/org.eclipse.osgi.tests/test_files/resourcetests/bundles/testout/file.txt @@ -0,0 +1 @@ +Test Content
\ No newline at end of file diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/bundlefile/DirBundleFile.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/bundlefile/DirBundleFile.java index 42483984f..cef28b8fd 100644 --- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/bundlefile/DirBundleFile.java +++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/bundlefile/DirBundleFile.java @@ -68,13 +68,8 @@ public class DirBundleFile extends BundleFile { if (!enableStrictBundleEntryPath) { // must do an extra check to make sure file is within the bundle (bug 320546) - if (checkInBundle) { - try { - if (!BundleFile.secureAction.getCanonicalPath(file).startsWith(BundleFile.secureAction.getCanonicalPath(basefile))) - return null; - } catch (IOException e) { - return null; - } + if (checkInBundle && !isInBundle(file)) { + return null; } return file; } @@ -105,9 +100,8 @@ public class DirBundleFile extends BundleFile { } } // must do an extra check to make sure file is within the bundle (bug 320546) - if (checkInBundle) { - if (!canonicalFile.getPath().startsWith(basefile.getPath())) - return null; + if (checkInBundle && !isInBundle(file)) { + return null; } } catch (IOException e) { return null; @@ -116,6 +110,24 @@ public class DirBundleFile extends BundleFile { return file; } + boolean isInBundle(File file) { + try { + String canonicalizedRoot = BundleFile.secureAction.getCanonicalPath(basefile); + if (!canonicalizedRoot.endsWith(File.separator)) { + canonicalizedRoot += File.separator; + } + String canonicalizedChild = BundleFile.secureAction.getCanonicalPath(file); + if (BundleFile.secureAction.isDirectory(file) && !canonicalizedChild.endsWith(File.separator)) { + canonicalizedChild += File.separator; + } + if (!canonicalizedChild.startsWith(canonicalizedRoot)) { + return false; + } + } catch (IOException e) { + return false; + } + return true; + } private void cacheIfParentExists(File parentFile) { doesNotExistCache.computeIfAbsent(parentFile, secureAction::isDirectory); |