svn commit: r759371 - in /commons/proper/compress/trunk/src: main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java

Fri, 27 Mar 2009 15:02:43 -0700 

Author: sebb
Date: Fri Mar 27 22:02:20 2009
New Revision: 759371

URL: http://svn.apache.org/viewvc?rev=759371&view=rev
Log:
Fix malicious code / thread-safety bug

Modified:
    
commons/proper/compress/trunk/src/main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java
    
commons/proper/compress/trunk/src/test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java

Modified: 
commons/proper/compress/trunk/src/main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java
URL: 
http://svn.apache.org/viewvc/commons/proper/compress/trunk/src/main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java?rev=759371&r1=759370&r2=759371&view=diff
==============================================================================
--- 
commons/proper/compress/trunk/src/main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java
 (original)
+++ 
commons/proper/compress/trunk/src/main/java/org/apache/commons/compress/archivers/zip/ZipUtil.java
 Fri Mar 27 22:02:20 2009
@@ -22,6 +22,10 @@
 import java.util.Date;
 import java.util.zip.CRC32;
 
+/**
+ * Utility class for handling DOS and Java time conversions.
+ * @Immutable
+ */
 public abstract class ZipUtil {
     /**
      * Smallest date/time ZIP can handle.
@@ -50,7 +54,7 @@
         //                                   here will improve the readablity
         int year = time.getYear() + 1900;
         if (year < 1980) {
-            return DOS_TIME_MIN;
+            return (byte[]) DOS_TIME_MIN.clone(); // stop callers from 
changing the array
         }
         int month = time.getMonth() + 1;
         long value =  ((year - 1980) << 25)

Modified: 
commons/proper/compress/trunk/src/test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java
URL: 
http://svn.apache.org/viewvc/commons/proper/compress/trunk/src/test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java?rev=759371&r1=759370&r2=759371&view=diff
==============================================================================
--- 
commons/proper/compress/trunk/src/test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java
 (original)
+++ 
commons/proper/compress/trunk/src/test/java/org/apache/commons/compress/archivers/zip/ZipUtilTest.java
 Fri Mar 27 22:02:20 2009
@@ -74,4 +74,11 @@
                      ZipUtil.adjustToLong(2 * Integer.MAX_VALUE));
     }
 
+    public void testMinTime(){
+        byte[] b1 = ZipUtil.toDosTime(0);
+        byte b10 = b1[0]; // Save the first byte
+        b1[0]++; // change it
+        byte[] b2 = ZipUtil.toDosTime(0); // get the same time
+        assertEquals(b10,b2[0]); // first byte should still be the same
+    }
 }

Reply via email to