Skip to main content
aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorThomas Watson2013-04-10 15:34:29 +0000
committerThomas Watson2013-04-10 15:34:29 +0000
commit5ad325360d09f89d8cb3766164e9340041aec535 (patch)
treeea4d5cfad19301c69be003cda277001dd4c75745
parent7591e36abd6786ae4b6a3e57e9d3d07f4be3cad2 (diff)
downloadrt.equinox.framework-5ad325360d09f89d8cb3766164e9340041aec535.tar.gz
rt.equinox.framework-5ad325360d09f89d8cb3766164e9340041aec535.tar.xz
rt.equinox.framework-5ad325360d09f89d8cb3766164e9340041aec535.zip
Bug 395274 - Equinox returns valid bundle entries for invalid paths
- additional fix to properly use canonical paths for the basefile
-rw-r--r--bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/baseadaptor/bundlefile/DirBundleFile.java14
-rw-r--r--bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/internal/baseadaptor/BaseStorage.java16
-rw-r--r--bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/signedcontent/SignedBundleHook.java4
3 files changed, 22 insertions, 12 deletions
diff --git a/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/baseadaptor/bundlefile/DirBundleFile.java b/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/baseadaptor/bundlefile/DirBundleFile.java
index 295a8667e..890104a4e 100644
--- a/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/baseadaptor/bundlefile/DirBundleFile.java
+++ b/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/baseadaptor/bundlefile/DirBundleFile.java
@@ -28,9 +28,6 @@ public class DirBundleFile extends BundleFile {
private static final String POINTER_SAME_DIRECTORY_2 = "//";//$NON-NLS-1$
private static final String POINTER_UPPER_DIRECTORY = "..";//$NON-NLS-1$
- private static final String PROPERTY_STRICT_BUNDLE_ENTRY_PATH = "osgi.strictBundleEntryPath";//$NON-NLS-1$
- private static final String PROPERTY_STRICT_BUNDLE_ENTRY_PATH_DEFAULT_VALUE = "false";//$NON-NLS-1$
-
private final boolean enableStrictBundleEntryPath;
/**
@@ -38,12 +35,16 @@ public class DirBundleFile extends BundleFile {
* @param basefile the base file
* @throws IOException
*/
- public DirBundleFile(File basefile) throws IOException {
- super(basefile);
+ public DirBundleFile(File basefile, boolean enableStrictBundleEntryPath) throws IOException {
+ super(getBaseFile(basefile, enableStrictBundleEntryPath));
if (!BundleFile.secureAction.exists(basefile) || !BundleFile.secureAction.isDirectory(basefile)) {
throw new IOException(NLS.bind(AdaptorMsg.ADAPTOR_DIRECTORY_EXCEPTION, basefile));
}
- this.enableStrictBundleEntryPath = Boolean.parseBoolean(BundleFile.secureAction.getProperty(PROPERTY_STRICT_BUNDLE_ENTRY_PATH, PROPERTY_STRICT_BUNDLE_ENTRY_PATH_DEFAULT_VALUE));
+ this.enableStrictBundleEntryPath = enableStrictBundleEntryPath;
+ }
+
+ private static File getBaseFile(File basefile, boolean enableStrictBundleEntryPath) throws IOException {
+ return enableStrictBundleEntryPath ? secureAction.getCanonicalFile(basefile) : basefile;
}
public File getFile(String path, boolean nativeCode) {
@@ -54,6 +55,7 @@ public class DirBundleFile extends BundleFile {
}
if (!enableStrictBundleEntryPath) {
+ // must do an extra check to make sure file is within the bundle (bug 320546)
if (checkInBundle) {
try {
if (!BundleFile.secureAction.getCanonicalPath(file).startsWith(BundleFile.secureAction.getCanonicalPath(basefile)))
diff --git a/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/internal/baseadaptor/BaseStorage.java b/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/internal/baseadaptor/BaseStorage.java
index 982b8162a..d4c1b874e 100644
--- a/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/internal/baseadaptor/BaseStorage.java
+++ b/bundles/org.eclipse.osgi/defaultAdaptor/src/org/eclipse/osgi/internal/baseadaptor/BaseStorage.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2005, 2011 IBM Corporation and others.
+ * Copyright (c) 2005, 2013 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -16,6 +16,7 @@ import java.io.*;
import java.lang.reflect.InvocationTargetException;
import java.lang.reflect.Method;
import java.net.*;
+import java.security.AccessController;
import java.util.*;
import org.eclipse.core.runtime.adaptor.EclipseStarter;
import org.eclipse.core.runtime.adaptor.LocationManager;
@@ -31,6 +32,7 @@ import org.eclipse.osgi.framework.internal.core.*;
import org.eclipse.osgi.framework.internal.core.Constants;
import org.eclipse.osgi.framework.log.FrameworkLogEntry;
import org.eclipse.osgi.framework.util.KeyedHashSet;
+import org.eclipse.osgi.framework.util.SecureAction;
import org.eclipse.osgi.internal.loader.BundleLoader;
import org.eclipse.osgi.internal.loader.BundleLoaderProxy;
import org.eclipse.osgi.service.datalocation.Location;
@@ -49,6 +51,10 @@ public class BaseStorage implements SynchronousBundleListener {
private static final String OPTION_RESOLVER_READER = RUNTIME_ADAPTOR + "/resolver/reader/timing"; //$NON-NLS-1$
private static final String PROP_FRAMEWORK_EXTENSIONS = "osgi.framework.extensions"; //$NON-NLS-1$
private static final String PROP_BUNDLE_STORE = "osgi.bundlestore"; //$NON-NLS-1$
+
+ static final SecureAction secureAction = AccessController.doPrivileged(SecureAction.createSecureAction());
+ private static final String PROPERTY_STRICT_BUNDLE_ENTRY_PATH = "osgi.strictBundleEntryPath";//$NON-NLS-1$
+ private static final String PROPERTY_STRICT_BUNDLE_ENTRY_PATH_DEFAULT_VALUE = "false";//$NON-NLS-1$
// The name of the bundle data directory
static final String DATA_DIR_NAME = "data"; //$NON-NLS-1$
static final String LIB_TEMP = "libtemp"; //$NON-NLS-1$
@@ -740,10 +746,12 @@ public class BaseStorage implements SynchronousBundleListener {
// No factories configured or they declined to create the bundle file; do default
if (result == null && content instanceof File) {
File file = (File) content;
- if (isDirectory(data, base, file))
- result = new DirBundleFile(file);
- else
+ if (isDirectory(data, base, file)) {
+ boolean strictPath = Boolean.parseBoolean(secureAction.getProperty(PROPERTY_STRICT_BUNDLE_ENTRY_PATH, PROPERTY_STRICT_BUNDLE_ENTRY_PATH_DEFAULT_VALUE));
+ result = new DirBundleFile(file, strictPath);
+ } else {
result = new ZipBundleFile(file, data, mruList);
+ }
}
if (result == null && content instanceof String) {
diff --git a/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/signedcontent/SignedBundleHook.java b/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/signedcontent/SignedBundleHook.java
index 58e417df1..f589aa706 100644
--- a/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/signedcontent/SignedBundleHook.java
+++ b/bundles/org.eclipse.osgi/security/src/org/eclipse/osgi/internal/signedcontent/SignedBundleHook.java
@@ -1,5 +1,5 @@
/*******************************************************************************
- * Copyright (c) 2006, 2010 IBM Corporation and others.
+ * Copyright (c) 2006, 2013 IBM Corporation and others.
* All rights reserved. This program and the accompanying materials
* are made available under the terms of the Eclipse Public License v1.0
* which accompanies this distribution, and is available at
@@ -248,7 +248,7 @@ public class SignedBundleHook implements AdaptorHook, BundleFileWrapperFactoryHo
throw new IllegalArgumentException("null content"); //$NON-NLS-1$
BundleFile contentBundleFile;
if (content.isDirectory())
- contentBundleFile = new DirBundleFile(content);
+ contentBundleFile = new DirBundleFile(content, false);
else
contentBundleFile = new ZipBundleFile(content, null);
SignedBundleFile result = new SignedBundleFile(null, VERIFY_ALL);

Back to the top