pjfanning commented on code in PR #1066:
URL: https://github.com/apache/poi/pull/1066#discussion_r3227314875
##########
poi-scratchpad/src/main/java/org/apache/poi/hmef/extractor/HMEFContentsExtractor.java:
##########
@@ -152,10 +153,20 @@ public void extractAttachments(File dir) throws
IOException {
}
// Save it
- File file = new File(dir, filename);
+ File file = getOutputFile(dir, filename);
try (OutputStream fout = Files.newOutputStream(file.toPath())) {
fout.write(att.getContents());
}
}
}
+
+ private static File getOutputFile(File dir, String filename) throws
IOException {
+ Path outputDir = dir.toPath().toAbsolutePath().normalize();
+ Path outputFile = outputDir.resolve(filename).normalize();
+ if (!outputFile.startsWith(outputDir)) {
Review Comment:
Can you have a look at
https://github.com/apache/poi/blob/145ca469d93f5cb3f9f476d5d3b9195ac3ada744/poi/src/main/java/org/apache/poi/util/IOUtils.java#L622
and adjust that to have a shared method to do this check? Code reuse is
important.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
