Skip to content
Permalink
Browse files Browse the repository at this point in the history
OO-5819: container can only create file in its own path
  • Loading branch information
lainsr committed Nov 1, 2021
1 parent a9d9115 commit c450df7
Show file tree
Hide file tree
Showing 6 changed files with 60 additions and 15 deletions.
16 changes: 13 additions & 3 deletions src/main/java/org/olat/core/util/vfs/LocalFolderImpl.java
Expand Up @@ -374,7 +374,13 @@ public String toString() {
@Override
public VFSContainer createChildContainer(String name) {
File fNewFile = new File(getBasefile(), name);
if (!fNewFile.mkdir()) return null;
if(!isInPath(name)) {
log.warn("Could not create a new container::{} in container::{} - file out of parent directory", name, getBasefile().getAbsolutePath());
return null;
}
if (!fNewFile.mkdir()) {
return null;
}
LocalFolderImpl locFI = new LocalFolderImpl(fNewFile, this);
locFI.setDefaultItemFilter(defaultFilter);
return locFI;
Expand All @@ -384,15 +390,19 @@ public VFSContainer createChildContainer(String name) {
public VFSLeaf createChildLeaf(String name) {
File fNewFile = new File(getBasefile(), name);
try {
if(!isInPath(name)) {
log.warn("Could not create a new leaf::{} in container::{} - file out of parent directory", name, getBasefile().getAbsolutePath());
return null;
}
if(!fNewFile.getParentFile().exists()) {
fNewFile.getParentFile().mkdirs();
}
if (!fNewFile.createNewFile()) {
log.warn("Could not create a new leaf::" + name + " in container::" + getBasefile().getAbsolutePath() + " - file alreay exists");
log.warn("Could not create a new leaf::{} in container::{} - file alreay exists", name, getBasefile().getAbsolutePath());
return null;
}
} catch (Exception e) {
log.error("Error while creating child leaf::" + name + " in container::" + getBasefile().getAbsolutePath(), e);
log.error("Error while creating child leaf::{} in container::{}", name, getBasefile().getAbsolutePath(), e);
return null;
}
return new LocalFileImpl(fNewFile, this);
Expand Down
4 changes: 2 additions & 2 deletions src/main/java/org/olat/core/util/vfs/VFSContainer.java
Expand Up @@ -78,14 +78,14 @@ public interface VFSContainer extends VFSItem {
* Create a new child container (of same type) if possible.
*
* @param name
* @return VFSItem if successfull, null otherwise.
* @return VFSItem if successful, null otherwise.
*/
public VFSContainer createChildContainer(String name);

/**
* Create a new leaf (of same type) if possible,
* @param name
* @return VFSItem if successfull, null otherwise.
* @return VFSItem if successful, null otherwise.
*/
public VFSLeaf createChildLeaf(String name);

Expand Down
Expand Up @@ -598,7 +598,7 @@ public Response replyToPostAttachment(@PathParam("messageKey") Long messageKey,
return attachToPost(messageKey, filename, in, request);
}

protected Response attachToPost(Long messageKey, String filename, InputStream file, HttpServletRequest request) {
private Response attachToPost(Long messageKey, String filename, InputStream file, HttpServletRequest request) {
//load message
Message mess = fom.loadMessage(messageKey);
if(mess == null) {
Expand All @@ -610,7 +610,7 @@ protected Response attachToPost(Long messageKey, String filename, InputStream fi
return attachToPost(mess, filename, file, request);
}

protected Response attachToPost(Message mess, String filename, InputStream file, HttpServletRequest request) {
private Response attachToPost(Message mess, String filename, InputStream file, HttpServletRequest request) {
Identity identity = getIdentity(request);
if(identity == null) {
return Response.serverError().status(Status.UNAUTHORIZED).build();
Expand Down
Expand Up @@ -1365,9 +1365,9 @@ public Response attachTaskFile(@PathParam("courseId") Long courseId, @PathParam(
String filename = reader.getValue("filename", "task");
String taskFolderPath = TACourseNode.getTaskFolderPathRelToFolderRoot(course, parentNode.getCourseNode());
VFSContainer taskFolder = VFSManager.olatRootContainer(taskFolderPath, null);
VFSLeaf singleFile = (VFSLeaf) taskFolder.resolve("/" + filename);
VFSLeaf singleFile = (VFSLeaf)taskFolder.resolve(filename);
if (singleFile == null) {
singleFile = taskFolder.createChildLeaf("/" + filename);
singleFile = taskFolder.createChildLeaf(filename);
}
File file = reader.getFile();
if(file != null) {
Expand Down Expand Up @@ -2314,9 +2314,9 @@ public void configure(ICourse course, CourseNode newNode, ModuleConfiguration mo
if(STCourseNodeEditController.CONFIG_VALUE_DISPLAY_FILE.equals(moduleConfig.getStringValue(STCourseNodeEditController.CONFIG_KEY_DISPLAY_TYPE))) {
if(in != null && StringHelper.containsNonWhitespace(filename)) {
VFSContainer rootContainer = course.getCourseFolderContainer();
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve("/" + filename);
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve(filename);
if (singleFile == null) {
singleFile = rootContainer.createChildLeaf("/" + filename);
singleFile = rootContainer.createChildLeaf(filename);
}

moduleConfig.set(STCourseNodeEditController.CONFIG_KEY_FILE, "/" + filename);
Expand All @@ -2326,7 +2326,7 @@ public void configure(ICourse course, CourseNode newNode, ModuleConfiguration mo
FileUtils.closeSafely(in);
} else if (StringHelper.containsNonWhitespace(filename)) {
VFSContainer rootContainer = course.getCourseFolderContainer();
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve("/" + filename);
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve(filename);
if(singleFile != null) {
moduleConfig.set(STCourseNodeEditController.CONFIG_KEY_FILE, "/" + filename);
}
Expand Down Expand Up @@ -2487,9 +2487,9 @@ public boolean isValid() {
public void configure(ICourse course, CourseNode newNode, ModuleConfiguration moduleConfig) {
newNode.setDisplayOption(CourseNode.DISPLAY_OPTS_TITLE_DESCRIPTION_CONTENT);
VFSContainer rootContainer = course.getCourseFolderContainer();
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve("/" + filename);
VFSLeaf singleFile = (VFSLeaf) rootContainer.resolve(filename);
if (singleFile == null) {
singleFile = rootContainer.createChildLeaf("/" + filename);
singleFile = rootContainer.createChildLeaf(filename);
}

if(in != null) {
Expand Down
Expand Up @@ -58,7 +58,7 @@ private final void servlet31(HttpServletRequest request) {
if(part.getContentType() != null && (StringHelper.containsNonWhitespace(part.getSubmittedFileName()) || !part.getContentType().startsWith("text/plain"))) {
contentType = part.getContentType();
filename = part.getSubmittedFileName();
if(filename != null) {
if(filename != null && !filename.contains("..")) {
filename = UUID.randomUUID().toString().replace("-", "") + "_" + filename;
} else {
filename = "upload-" + UUID.randomUUID().toString().replace("-", "");
Expand Down
35 changes: 35 additions & 0 deletions src/test/java/org/olat/restapi/ForumTest.java
Expand Up @@ -387,6 +387,41 @@ public void testUploadAttachment() throws IOException, URISyntaxException {
conn.shutdown();
}

@Test
public void testUploadAttachmentOutOfBox() throws IOException, URISyntaxException {
RestConnection conn = new RestConnection();
assertTrue(conn.login(id1));

URI uri = getForumUriBuilder().path("posts").path(m1.getKey().toString())
.queryParam("authorKey", id1.getKey())
.queryParam("title", "New message with attachment ")
.queryParam("body", "A very interesting response in Thread-1 with an attachment").build();
HttpPut method = conn.createPut(uri, MediaType.APPLICATION_JSON, true);
HttpResponse response = conn.execute(method);
assertEquals(200, response.getStatusLine().getStatusCode());
MessageVO message = conn.parse(response, MessageVO.class);
assertNotNull(message);

//attachment
URL portraitUrl = CoursesElementsTest.class.getResource("portrait.jpg");
assertNotNull(portraitUrl);
File portrait = new File(portraitUrl.toURI());

//upload portrait
URI attachUri = getForumUriBuilder().path("posts").path(message.getKey().toString()).path("attachments").build();
HttpPost attachMethod = conn.createPost(attachUri, MediaType.APPLICATION_JSON);
conn.addMultipart(attachMethod, "../../portrait.jpg", portrait);
HttpResponse attachResponse = conn.execute(attachMethod);
assertEquals(200, attachResponse.getStatusLine().getStatusCode());

//check if the file exists
VFSContainer container = forumManager.getMessageContainer(message.getForumKey(), message.getKey());
VFSItem uploadedFile = container.resolve("portrait.jpg");
Assert.assertNull(uploadedFile);

conn.shutdown();
}

@Test
public void testUpload64Attachment() throws IOException, URISyntaxException {
RestConnection conn = new RestConnection();
Expand Down

0 comments on commit c450df7

Please sign in to comment.