From f89ab72802d1ca42c7109f232d018fccedd419e2 Mon Sep 17 00:00:00 2001
From: James Moger <james.moger@gitblit.com>
Date: Fri, 20 Feb 2015 07:48:50 -0500
Subject: [PATCH] Sandbox the file handler path handling for security

The file handler was susceptible to serving resources from outside it's base
directory by using relative paths such as "../../../private.txt".
---
 .../pippo/core/route/FileResourceHandler.java  | 18 +++++++++++++-----
 1 file changed, 13 insertions(+), 5 deletions(-)

diff --git a/pippo-core/src/main/java/ro/pippo/core/route/FileResourceHandler.java b/pippo-core/src/main/java/ro/pippo/core/route/FileResourceHandler.java
index 679241640..4379291bf 100644
--- a/pippo-core/src/main/java/ro/pippo/core/route/FileResourceHandler.java
+++ b/pippo-core/src/main/java/ro/pippo/core/route/FileResourceHandler.java
@@ -21,6 +21,8 @@
 import java.io.File;
 import java.net.MalformedURLException;
 import java.net.URL;
+import java.nio.file.Path;
+import java.nio.file.Paths;
 
 /**
  * Serves file resources.
@@ -31,11 +33,11 @@ public class FileResourceHandler extends StaticResourceHandler {
 
     private static final Logger log = LoggerFactory.getLogger(FileResourceHandler.class);
 
-    final File directory;
+    final String directory;
 
     public FileResourceHandler(String urlPath, File directory) {
         super(urlPath);
-        this.directory = directory.getAbsoluteFile();
+        this.directory = directory.getAbsolutePath();
     }
 
     public FileResourceHandler(String urlPath, String directory) {
@@ -47,11 +49,17 @@ public URL getResourceUrl(String resourcePath) {
         URL url = null;
 
         try {
-            File file = new File(directory, resourcePath).getAbsoluteFile();
+            Path requestedPath = Paths.get(directory, resourcePath).normalize().toAbsolutePath();
+            if (!requestedPath.startsWith(directory)) {
+                log.warn("Request for '{}' which is not located in '{}'", requestedPath, directory);
+                return null;
+            }
+
+            File file = requestedPath.toFile();
             if (file.exists() && file.isFile()) {
-                url = file.toURI().toURL();
+                url = requestedPath.toUri().toURL();
             } else {
-                log.error("File '{}' not found", file);
+                log.warn("File '{}' not found", resourcePath);
             }
         } catch (MalformedURLException e) {
             log.error(e.getMessage(), e);