[archiva] 04/06: Adding additional verifications for upload

Wed, 27 Feb 2019 09:33:01 -0800 

This is an automated email from the ASF dual-hosted git repository.

martin_s pushed a commit to branch archiva-2.x
in repository https://gitbox.apache.org/repos/asf/archiva.git

commit c5bcbaabedc323e778fe03289cbbfaa35b25e2d8
Author: Martin Stockhammer <[email protected]>
AuthorDate: Sun Feb 24 14:56:11 2019 +0100

    Adding additional verifications for upload
---
 .../org/apache/archiva/web/api/DefaultFileUploadService.java     | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git 
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
 
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
index e4d6676..d5f0ec5 100644
--- 
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ 
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -70,6 +70,7 @@ import java.io.FileOutputStream;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
@@ -183,15 +184,17 @@ public class DefaultFileUploadService
     public Boolean deleteFile( String fileName )
         throws ArchivaRestServiceException
     {
-        File file = new File( SystemUtils.getJavaIoTmpDir(), fileName );
+        // we make sure, that there are no other path components in the 
filename:
+        String checkedFileName = Paths.get(fileName).getFileName().toString();
+        File file = new File( SystemUtils.getJavaIoTmpDir(), checkedFileName );
         log.debug( "delete file:{},exists:{}", file.getPath(), file.exists() );
         boolean removed = getSessionFileMetadatas().remove( new FileMetadata( 
fileName ) );
         // try with full name as ui only know the file name
         if ( !removed )
         {
-            /* unused */ getSessionFileMetadatas().remove( new FileMetadata( 
file.getPath() ) );
+            removed = getSessionFileMetadatas().remove( new FileMetadata( 
file.getPath() ) );
         }
-        if ( file.exists() )
+        if (removed && file.exists() )
         {
             return file.delete();
         }

Reply via email to