3 files changed, 34 insertions, 5 deletions

diff --git a/bundles/org.eclipse.osgi/META-INF/MANIFEST.MF b/bundles/org.eclipse.osgi/META-INF/MANIFEST.MF
index 25ab3347b..dc7a293e5 100644
--- a/bundles/org.eclipse.osgi/META-INF/MANIFEST.MF
+++ b/bundles/org.eclipse.osgi/META-INF/MANIFEST.MF
@@ -101,7 +101,7 @@ Bundle-Activator: org.eclipse.osgi.internal.framework.SystemBundleActivator
 Bundle-Description: %systemBundle
 Bundle-Copyright: %copyright
 Bundle-Vendor: %eclipse.org
-Bundle-Version: 3.13.300.qualifier
+Bundle-Version: 3.13.400.qualifier
 Bundle-Localization: systembundle
 Bundle-DocUrl: http://www.eclipse.org
 Eclipse-ExtensibleAPI: true
diff --git a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/Storage.java b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/Storage.java
index 6dfe504b7..25c70ac8f 100644
--- a/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/Storage.java
+++ b/bundles/org.eclipse.osgi/container/src/org/eclipse/osgi/storage/Storage.java
@@ -955,10 +955,35 @@ public class Storage {
 		return bundleID + "/" + generationID + "/" + BUNDLE_FILE_NAME; //$NON-NLS-1$ //$NON-NLS-2$
 	}
 
+	/**
+	 * Gets a file from storage and conditionally checks the parent storage area
+	 * if the file does not exist in the child configuration.
+	 * Note, this method does not check for escaping of paths from the root storage area.
+	 * @param path the path relative to the root of the storage area
+	 * @param checkParent if true then check the parent storage (if any) when the file
+	 * does not exist in the child storage area
+	 * @return the file being requested. A {@code null} value is never returned.  The file
+	 * returned may not exist.
+	 * @throws StorageException if there was an issue getting the file
+	 */
 	public File getFile(String path, boolean checkParent) throws StorageException {
 		return getFile(null, path, checkParent);
 	}
 
+	/**
+	 * Same as {@link #getFile(String, boolean)} except takes a base parameter which is
+	 * appended to the root storage area before looking for the path.  If base is not
+	 * null then additional checks are done to make sure the path does not escape out
+	 * of the base path.
+	 * @param base the additional base path to append to the root storage area.  May be
+	 * {@code null}, in which case no check is done for escaping out of the base path.
+	 * @param path the path relative to the root + base storage area.
+	 * @param checkParent if true then check the parent storage (if any) when the file
+	 * does not exist in the child storage area
+	 * @return the file being requested. A {@code null} value is never returned.  The file
+	 * returned may not exist.
+	 * @throws StorageException if there was an issue getting the file
+	 */
 	public File getFile(String base, String path, boolean checkParent) throws StorageException {
 		// first check the child location
 		File childPath = getFile(childRoot, base, path);
@@ -978,12 +1003,16 @@ public class Storage {
 	}
 
 	private static File getFile(File root, String base, String path) {
-		if (base != null) {
-			// if base is not null then move root to include the base
-			root = new File(root, base);
+		if (base == null) {
+			// return quick; no need to check for path traversal
+			return new File(root, path);
 		}
+
+		// if base is not null then move root to include the base
+		root = new File(root, base);
 		File result = new File(root, path);
 
+		// do the extra check to make sure the path did not escape the root path
 		try {
 			String resultCanonical = result.getCanonicalPath();
 			String rootCanonical = root.getCanonicalPath();
diff --git a/bundles/org.eclipse.osgi/pom.xml b/bundles/org.eclipse.osgi/pom.xml
index 2d63f2897..92a400413 100644
--- a/bundles/org.eclipse.osgi/pom.xml
+++ b/bundles/org.eclipse.osgi/pom.xml
@@ -19,7 +19,7 @@
   </parent>
   <groupId>org.eclipse.osgi</groupId>
   <artifactId>org.eclipse.osgi</artifactId>
-  <version>3.13.300-SNAPSHOT</version>
+  <version>3.13.400-SNAPSHOT</version>
   <packaging>eclipse-plugin</packaging>
 
   <build>