[archiva] 04/12: Adding additional verifications for upload

Fri, 03 May 2019 12:18:03 -0700 

This is an automated email from the ASF dual-hosted git repository.

martin_s pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/archiva.git

commit 747cc55b248022066f5a8a92c6a6cc71b15ed944
Author: Martin Stockhammer <[email protected]>
AuthorDate: Sun Feb 24 14:56:11 2019 +0100

    Adding additional verifications for upload
    
    (cherry picked from commit c5bcbaabedc323e778fe03289cbbfaa35b25e2d8)
---
 .../archiva/web/api/DefaultFileUploadService.java  | 25 +++++++++++-----------
 1 file changed, 13 insertions(+), 12 deletions(-)

diff --git 
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
 
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
index 3a05d8f..0e55bdb 100644
--- 
a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ 
b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -184,21 +184,22 @@ public class DefaultFileUploadService
     public Boolean deleteFile( String fileName )
         throws ArchivaRestServiceException
     {
-        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( fileName );
+        // we make sure, that there are no other path components in the 
filename:
+        String checkedFileName = Paths.get(fileName).getFileName().toString();
+        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( 
checkedFileName );
         log.debug( "delete file:{},exists:{}", file, Files.exists(file) );
         boolean removed = getSessionFileMetadatas().remove( new FileMetadata( 
fileName ) );
         // try with full name as ui only know the file name
-        if ( !removed )
-        {
-            /* unused */ getSessionFileMetadatas().remove( new FileMetadata( 
file.toString() ) );
-        }
-        try
-        {
-            Files.deleteIfExists( file );
-        }
-        catch ( IOException e )
-        {
-            log.error("Could not delete file {}: {}", file, e.getMessage(), e);
+        if ( !removed ) {
+            removed = getSessionFileMetadatas().remove(new 
FileMetadata(file.toString()));
+        }
+        if (removed) {
+            try {
+                Files.deleteIfExists(file);
+                return Boolean.TRUE;
+            } catch (IOException e) {
+                log.error("Could not delete file {}: {}", file, 
e.getMessage(), e);
+            }
         }
         return Boolean.FALSE;
     }

Reply via email to