This is an automated email from the ASF dual-hosted git repository.
davsclaus pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/camel.git
The following commit(s) were added to refs/heads/main by this push:
new 343f04cb98a CAMEL-18825: Fix
https://github.com/apache/camel/security/code-scanning/36
343f04cb98a is described below
commit 343f04cb98a20da45473527757f55623404378de
Author: Claus Ibsen <[email protected]>
AuthorDate: Mon Jan 2 15:46:09 2023 +0100
CAMEL-18825: Fix https://github.com/apache/camel/security/code-scanning/36
---
.../main/java/org/apache/camel/http/common/DefaultHttpBinding.java | 4 ++++
1 file changed, 4 insertions(+)
diff --git
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
index 4d0033c5ae2..c372fed310f 100644
---
a/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
+++
b/components/camel-http-common/src/main/java/org/apache/camel/http/common/DefaultHttpBinding.java
@@ -320,6 +320,10 @@ public class DefaultHttpBinding implements HttpBinding {
LOG.trace("HTTP attachment {} = {}", name, object);
if (object instanceof File) {
String fileName = request.getParameter(name);
+ // fix file name if using malicious parameter name
+ if (fileName != null) {
+ fileName = fileName.replaceAll("[\n\r\t]", "_");
+ }
// is the file name accepted
boolean accepted = true;
if (fileNameExtWhitelist != null) {
