Repository: hive Updated Branches: refs/heads/master ff446b779 -> 6e6b0cb7b
HIVE-19496: Check untar folder (Aihua Xu, reviewed by Sahil Takiar) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/6e6b0cb7 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/6e6b0cb7 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/6e6b0cb7 Branch: refs/heads/master Commit: 6e6b0cb7b1950e6b0e4a19b0f9e2d185031dd83f Parents: ff446b7 Author: Aihua Xu <[email protected]> Authored: Thu May 10 14:51:57 2018 -0700 Committer: Aihua Xu <[email protected]> Committed: Tue May 15 10:11:19 2018 -0700 ---------------------------------------------------------------------- .../src/java/org/apache/hadoop/hive/common/CompressionUtils.java | 4 ++++ 1 file changed, 4 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/6e6b0cb7/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java index 681c506..d98632e 100644 --- a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java +++ b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java @@ -159,6 +159,10 @@ public class CompressionUtils { TarArchiveEntry entry = null; while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) { final File outputFile = new File(outputDir, entry.getName()); + if (!outputFile.toPath().toAbsolutePath().normalize() + .startsWith(outputDir.toPath().toAbsolutePath().normalize())) { + throw new IOException("Untarred file is not under the output directory"); + } if (entry.isDirectory()) { if (flatten) { // no sub-directories
