Defer permissions check when making LocalSession.

Also use Java7 Paths to get rid of some funky logic.
EngineHub · Mar 12, 2019 · 1c5d336 · 1c5d336
1 parent a5cec77
commit 1c5d336
Show file tree

Hide file tree

Showing 2 changed files with 14 additions and 15 deletions.
diff --git a/worldedit-core/src/main/java/com/sk89q/worldedit/WorldEdit.java b/worldedit-core/src/main/java/com/sk89q/worldedit/WorldEdit.java
@@ -68,6 +68,8 @@
 import java.io.IOException;
 import java.io.InputStream;
 import java.nio.charset.StandardCharsets;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 import java.util.HashMap;
 import java.util.Iterator;
 import java.util.List;
@@ -279,19 +281,17 @@ private File getSafeFile(@Nullable Player player, File dir, String filename, Str
         }
 
         try {
-            String filePath = f.getCanonicalPath();
-            String dirPath = dir.getCanonicalPath();
+            Path filePath = Paths.get(f.toURI()).normalize();
+            Path dirPath = Paths.get(dir.toURI()).normalize();
 
-            if ((filePath.length() < dirPath.length() || !filePath.substring(0, dirPath.length()).equals(dirPath))
-                    && !getConfiguration().allowSymlinks) {
-                throw new FilenameResolutionException(filename,
-                        "Path is outside allowable root");
+            if (!filePath.startsWith(dirPath)
+                    || (!getConfiguration().allowSymlinks && !filePath.toRealPath().startsWith(dirPath))) {
+                throw new FilenameResolutionException(filename, "Path is outside allowable root");
             }
 
             return f;
         } catch (IOException e) {
-            throw new FilenameResolutionException(filename,
-                    "Failed to resolve path");
+            throw new FilenameResolutionException(filename, "Failed to resolve path");
         }
     }
 

diff --git a/worldedit-core/src/main/java/com/sk89q/worldedit/session/SessionManager.java b/worldedit-core/src/main/java/com/sk89q/worldedit/session/SessionManager.java
@@ -162,12 +162,10 @@ public synchronized LocalSession get(SessionOwner owner) {
             sessions.put(getKey(owner), new SessionHolder(sessionKey, session));
         }
 
-        if (shouldBoundLimit(owner.hasPermission("worldedit.limit.unrestricted"),
-                session.getBlockChangeLimit(), config.maxChangeLimit)) {
+        if (shouldBoundLimit(owner, "worldedit.limit.unrestricted", session.getBlockChangeLimit(), config.maxChangeLimit)) {
             session.setBlockChangeLimit(config.maxChangeLimit);
         }
-        if (shouldBoundLimit(owner.hasPermission("worldedit.timeout.unrestricted"),
-                session.getTimeout(), config.maxCalculationTimeout)) {
+        if (shouldBoundLimit(owner, "worldedit.timeout.unrestricted", session.getTimeout(), config.maxCalculationTimeout)) {
             session.setTimeout(config.maxCalculationTimeout);
         }
 
@@ -181,9 +179,10 @@ public synchronized LocalSession get(SessionOwner owner) {
         return session;
     }
 
-    private boolean shouldBoundLimit(boolean mayBypass, int currentLimit, int maxLimit) {
-        if (!mayBypass && maxLimit > -1) { // if player can't bypass and max is finite
-            return currentLimit < 0 || currentLimit > maxLimit; // make sure current is finite and less than max
+    private boolean shouldBoundLimit(SessionOwner owner, String permission, int currentLimit, int maxLimit) {
+        if (maxLimit > -1) { // if max is finite
+            return (currentLimit < 0 || currentLimit > maxLimit) // make sure current is finite and less than max
+                    && !owner.hasPermission(permission); // unless user has unlimited permission
         }
         return false;
     }