diff --git a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java index 7725d584915..3dcbcc76b75 100644 --- a/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java +++ b/obr/src/main/java/org/apache/karaf/obr/command/util/FileUtil.java @@ -110,7 +110,11 @@ public static void unjar(JarInputStream jis, File dir) } File target = new File(dir, je.getName()); - if (!target.getCanonicalPath().startsWith(dir.getCanonicalPath())) { + String canonicalizedDir = dir.getCanonicalPath(); + if (!canonicalizedDir.endsWith(File.separator)) { + canonicalizedDir += File.separator; + } + if (!target.getCanonicalPath().startsWith(canonicalizedDir)) { throw new IOException("JAR resource cannot contain paths with .. characters"); } diff --git a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java index 60714b54c58..570e6fffc52 100644 --- a/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java +++ b/tooling/karaf-maven-plugin/src/main/java/org/apache/karaf/tooling/RunMojo.java @@ -436,7 +436,11 @@ private static void extract(ArchiveInputStream is, File targetDir) throws IOExce String name = entry.getName(); name = name.substring(name.indexOf("/") + 1); File file = new File(targetDir, name); - if (!file.getCanonicalPath().startsWith(targetDir.getCanonicalPath())) { + String canonicalizedTargetDir = targetDir.getCanonicalPath(); + if (!canonicalizedTargetDir.endsWith(File.separator)) { + canonicalizedTargetDir += File.separator; + } + if (!file.getCanonicalPath().startsWith(canonicalizedTargetDir)) { throw new IOException("Archive cannot contain paths with .. characters"); }