[KARAF-7326] Add ending slash (separator) in canonical path, avoiding…

… partial path traversal (cherry picked from commit 36a2bc4)
apache · Jan 10, 2022 · f41fda3 · f41fda3
1 parent ac02b00
commit f41fda3
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java
@@ -110,7 +110,11 @@ public static void unjar(JarInputStream jis, File dir)
             }
 
             File target = new File(dir, je.getName());
-            if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) {
+            String canonicalizedDir = dir.getCanonicalPath();
+            if (!canonicalizedDir.endsWith(File.separator)) {
+                canonicalizedDir += File.separator;
+            }
+            if (!target.getCanonicalPath().startsWith(canonicalizedDir)) {
                 throw new IOException("JAR resource cannot contain paths with .. characters");
             }
 

diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java
@@ -436,7 +436,11 @@ private static void extract(ArchiveInputStream is, File targetDir) throws IOExce
                 String name = entry.getName();
                 name = name.substring(name.indexOf("/") + 1);
                 File file = new File(targetDir, name);
-                if (!file.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) {
+                String canonicalizedTargetDir = targetDir.getCanonicalPath();
+                if (!canonicalizedTargetDir.endsWith(File.separator)) {
+                    canonicalizedTargetDir += File.separator;
+                }
+                if (!file.getCanonicalPath().startsWith(canonicalizedTargetDir)) {
                     throw new IOException("Archive cannot contain paths with .. characters");
                 }