KEYCLOAK-15012 Fix issue with folder theme provider

keycloak · Nov 6, 2020 · 1281f28 · 1281f28
1 parent 2df6236
commit 1281f28
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 2 deletions.
diff --git a/services/src/main/java/org/keycloak/theme/FolderTheme.java b/services/src/main/java/org/keycloak/theme/FolderTheme.java
@@ -93,7 +93,7 @@ public InputStream getResourceAsStream(String path) throws IOException {
         }
 
         File file = new File(resourcesDir, path);
-        if (!file.isFile() || !file.getCanonicalPath().startsWith(resourcesDir.getCanonicalPath())) {
+        if (!file.isFile() || !file.getCanonicalPath().startsWith(resourcesDir.getCanonicalPath() + File.separator)) {
             return null;
         } else {
             return file.toURI().toURL().openStream();

diff --git a/services/src/main/java/org/keycloak/theme/FolderThemeProvider.java b/services/src/main/java/org/keycloak/theme/FolderThemeProvider.java
@@ -84,7 +84,15 @@ public void close() {
     }
 
     private File getThemeDir(String name, Theme.Type type) {
-        return new File(themesDir, name + File.separator + type.name().toLowerCase());
+        File f = new File(themesDir, name + File.separator + type.name().toLowerCase());
+        try {
+            if (!f.getCanonicalPath().startsWith(themesDir.getCanonicalPath() + File.separator)) {
+                return null;
+            }
+        } catch (IOException e) {
+            return null;
+        }
+        return f;
     }
 
 }