[aries] branch trunk updated: Fix a bug with the canonicalize step

Wed, 26 Jan 2022 05:31:12 -0800 

This is an automated email from the ASF dual-hosted git repository.

rotty3000 pushed a commit to branch trunk
in repository https://gitbox.apache.org/repos/asf/aries.git


The following commit(s) were added to refs/heads/trunk by this push:
     new 8e805ce  Fix a bug with the canonicalize step
8e805ce is described below

commit 8e805ce352502fdcfc16350e5750aaa95e7b3836
Author: Colm O hEigeartaigh <[email protected]>
AuthorDate: Wed Jan 26 08:42:51 2022 +0000

    Fix a bug with the canonicalize step
---
 .../src/main/java/org/apache/aries/spifly/statictool/Main.java      | 6 +++++-
 util/src/main/java/org/apache/aries/util/io/IOUtils.java            | 6 +++++-
 2 files changed, 10 insertions(+), 2 deletions(-)

diff --git 
a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
 
b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
index a4e2c14..557f55c 100644
--- 
a/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
+++ 
b/spi-fly/spi-fly-static-tool/src/main/java/org/apache/aries/spifly/statictool/Main.java
@@ -244,7 +244,11 @@ public class Main {
         JarEntry je = null;
         while((je = jis.getNextJarEntry()) != null) {
             File outFile = new File(tempDir, je.getName());
-            if 
(!outFile.getCanonicalPath().startsWith(tempDir.getCanonicalPath())) {
+            String canonicalizedTargetDir = tempDir.getCanonicalPath();
+            if (!canonicalizedTargetDir.endsWith(File.separator)) {
+                canonicalizedTargetDir += File.separator;
+            }
+            if 
(!outFile.getCanonicalPath().startsWith(canonicalizedTargetDir)) {
                 throw new IOException("The output file is not contained in the 
destination directory");
             }
 
diff --git a/util/src/main/java/org/apache/aries/util/io/IOUtils.java 
b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
index 39054b2..00b9485 100644
--- a/util/src/main/java/org/apache/aries/util/io/IOUtils.java
+++ b/util/src/main/java/org/apache/aries/util/io/IOUtils.java
@@ -276,7 +276,11 @@ public class IOUtils
       if(isZip){
         do {
           File outFile = new File(outputDir, zipEntry.getName());
-          if 
(!outFile.getCanonicalPath().startsWith(outputDir.getCanonicalPath())) {
+          String canonicalizedDir = outputDir.getCanonicalPath();
+          if (!canonicalizedDir.endsWith(File.separator)) {
+               canonicalizedDir += File.separator;
+          }
+          if (!outFile.getCanonicalPath().startsWith(canonicalizedDir)) {
             throw new IOException("The output file is not contained in the 
destination directory");
           }

Reply via email to