This is an automated email from the ASF dual-hosted git repository.
btellier pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/james-project.git
The following commit(s) were added to refs/heads/master by this push:
new 7d22c6f CVE-2022-22931 JAMES-3646 Rely on strong typing for file
paths operations (#877)
7d22c6f is described below
commit 7d22c6fbd79d817bc137da7b9d712cb2802a7df8
Author: Benoit TELLIER <[email protected]>
AuthorDate: Wed Feb 9 08:24:12 2022 +0700
CVE-2022-22931 JAMES-3646 Rely on strong typing for file paths operations
(#877)
---
.../apache/james/sieverepository/file/SieveFileRepository.java | 8 ++------
.../james/sieverepository/file/SieveFileRepositoryTest.java | 9 +++++++++
2 files changed, 11 insertions(+), 6 deletions(-)
diff --git
a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
index 26baf98..b70496b 100644
---
a/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
+++
b/server/data/data-file/src/main/java/org/apache/james/sieverepository/file/SieveFileRepository.java
@@ -316,12 +316,8 @@ public class SieveFileRepository implements
SieveRepository {
}
private void enforceRoot(File file) throws StorageException {
- try {
- if (!file.getCanonicalPath().startsWith(root.getCanonicalPath())) {
- throw new StorageException(new IllegalStateException("Path
traversal attempted"));
- }
- } catch (IOException e) {
- throw new StorageException(e);
+ if (!file.toPath().normalize().startsWith(root.toPath().normalize())) {
+ throw new StorageException(new IllegalStateException("Path
traversal attempted"));
}
}
diff --git
a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
index e6b4f17..1077ec8 100644
---
a/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
+++
b/server/data/data-file/src/test/java/org/apache/james/sieverepository/file/SieveFileRepositoryTest.java
@@ -84,4 +84,13 @@ class SieveFileRepositoryTest implements
SieveRepositoryContract {
new ScriptName("../other/script")))
.isInstanceOf(StorageException.class);
}
+
+ @Test
+ void getScriptShouldNotAllowToReadScriptsOfOtherUsersWhenPrefix() throws
Exception {
+ sieveRepository().putScript(Username.of("testa"), new
ScriptName("script"), new ScriptContent("PWND!!!"));
+
+ assertThatThrownBy(() ->
sieveRepository().getScript(Username.of("test"),
+ new ScriptName("../other/script")))
+ .isInstanceOf(StorageException.class);
+ }
}
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
