Repository: hive Updated Branches: refs/heads/branch-3 f1f265046 -> 3c44a3820
HIVE-19496: Check untar folder (Aihua Xu, reviewed by Sahil Takiar) Project: http://git-wip-us.apache.org/repos/asf/hive/repo Commit: http://git-wip-us.apache.org/repos/asf/hive/commit/3c44a382 Tree: http://git-wip-us.apache.org/repos/asf/hive/tree/3c44a382 Diff: http://git-wip-us.apache.org/repos/asf/hive/diff/3c44a382 Branch: refs/heads/branch-3 Commit: 3c44a3820424de3dc07a80714732b548ae147020 Parents: f1f2650 Author: Aihua Xu <[email protected]> Authored: Thu May 10 14:51:57 2018 -0700 Committer: Aihua Xu <[email protected]> Committed: Wed May 16 10:19:08 2018 -0700 ---------------------------------------------------------------------- .../src/java/org/apache/hadoop/hive/common/CompressionUtils.java | 4 ++++ 1 file changed, 4 insertions(+) ---------------------------------------------------------------------- http://git-wip-us.apache.org/repos/asf/hive/blob/3c44a382/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java ---------------------------------------------------------------------- diff --git a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java index 681c506..d98632e 100644 --- a/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java +++ b/common/src/java/org/apache/hadoop/hive/common/CompressionUtils.java @@ -159,6 +159,10 @@ public class CompressionUtils { TarArchiveEntry entry = null; while ((entry = (TarArchiveEntry) debInputStream.getNextEntry()) != null) { final File outputFile = new File(outputDir, entry.getName()); + if (!outputFile.toPath().toAbsolutePath().normalize() + .startsWith(outputDir.toPath().toAbsolutePath().normalize())) { + throw new IOException("Untarred file is not under the output directory"); + } if (entry.isDirectory()) { if (flatten) { // no sub-directories
