Skip to content

Commit

Permalink
Fix for GHSL-2022-008 vulnerability.
Browse files Browse the repository at this point in the history
  • Loading branch information
@kwwall
kwwall committed Apr 17, 2022
1 parent 657c2a7 commit a0d67b7
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion src/main/java/org/owasp/esapi/reference/DefaultValidator.java
View file
Original file line number Diff line number Diff line change
Expand Up @@ -466,7 +466,7 @@ public String getValidDirectoryPath(String context, String input, File parent, b
if ( !parent.isDirectory() ) {
throw new ValidationException( context + ": Invalid directory name", "Invalid directory, specified parent is not a directory: context=" + context + ", input=" + input + ", parent=" + parent );
}
if ( !dir.getCanonicalPath().startsWith(parent.getCanonicalPath() ) ) {
if ( !dir.getCanonicalFile().toPath().startsWith( parent.getCanonicalFile().toPath() ) ) { // Fixes GHSL-2022-008
throw new ValidationException( context + ": Invalid directory name", "Invalid directory, not inside specified parent: context=" + context + ", input=" + input + ", parent=" + parent );
}

Expand Down

1 comment on commit a0d67b7

@JLLeitschuh
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For back tracking this is related to CVE-2022-23457

GHSA-8m5h-hrqm-pxm2

Please sign in to comment.