From 406a77f8ee7e84890df1ef71285a69bab7cb200a Mon Sep 17 00:00:00 2001
From: Himanshu Seth <himanshu@intelligrape.com>
Date: Sat, 25 Feb 2012 15:10:12 +0530
Subject: [PATCH] Now disallowing access to files/folders outside the provided
 config

---
 .../grails/plugins/fileviewer/FileController.groovy |  4 +++-
 grails-app/i18n/message.properties                  |  3 ++-
 grails-app/views/file/fileList.gsp                  |  4 +++-
 .../grails/plugins/fileviewer/FileLocations.groovy  | 13 ++++++++++++-
 4 files changed, 20 insertions(+), 4 deletions(-)

diff --git a/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy b/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy
index aa1ba72..7827d51 100644
--- a/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy
+++ b/grails-app/controllers/org/grails/plugins/fileviewer/FileController.groovy
@@ -13,7 +13,7 @@ class FileController {
         Map model = [locations: fileLocations.locations]
         if (params.filePath) {
             File file = new File(params.filePath)
-            if (file.exists()) {
+            if (fileLocations.isValidPath(params.filePath) && file.exists()) {
                 if (file.isFile()) {
                     List locations = getSubFiles(file.parentFile)
                     String fileContents = getFileContents(file)
@@ -26,6 +26,8 @@ class FileController {
                     model['prevLocation'] = file.getParentFile()?.absolutePath
                 }
                 model['showBackLink'] = true
+            } else {
+                model.errorMessage = message(code: 'default.path.invalid.message')
             }
         }
         render(view: "/file/fileList", model: model, plugin: 'fileViewer')
diff --git a/grails-app/i18n/message.properties b/grails-app/i18n/message.properties
index d3ea1b6..2b7a82b 100644
--- a/grails-app/i18n/message.properties
+++ b/grails-app/i18n/message.properties
@@ -1,4 +1,5 @@
 default.link.back.label=Back
 default.page.title.label=File List
 default.page.body.detail=Please click on the links below to view detailed reports:
-default.link.download.label=Download complete file
\ No newline at end of file
+default.link.download.label=Download complete file
+default.path.invalid.message=Path provide was either not found or was outside the config scope
diff --git a/grails-app/views/file/fileList.gsp b/grails-app/views/file/fileList.gsp
index 4b7c919..50de51c 100644
--- a/grails-app/views/file/fileList.gsp
+++ b/grails-app/views/file/fileList.gsp
@@ -5,18 +5,20 @@
 	<title><g:message code="default.page.title.label" default="File List" /></title>
     <style type="text/css">
         * {margin: 0;padding: 0;}
-        body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 2em;}
+        body {font-size: 100.01%;font-family: Arial, sans-serif;color: #333;background: #f8f8f8;padding: 10px;}
         h1 {color: #363;font-size: 1.2em;margin: .5em 0;}
         p, pre, li {margin: 0 0 .5em 0;list-style: square;}
         ul {margin: 1em;}
         pre {background: #eee;border: 1px solid #999;padding: .5em;margin: .5em;font-size: .9em;}
         a {color: #369;font-size: .8em;}
+        div.error{background: #ff0000;margin: 10px;}
     </style>
 </head>
 <body>
 <br/><strong>
 	<g:message code="default.page.body.detail" default="Please click on the links below to view detailed reports:" />
 </strong><br/><br/>
+<g:if test="${errorMessage}"><div class="error">${errorMessage}</div></g:if>
 <g:if test="${showBackLink}">
 	<div id="backLink">
 		<a class="showReportLink" href="${createLink(action: 'index', params: [filePath: prevLocation])}">
diff --git a/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy b/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy
index 86fbd8d..ba5e0cd 100644
--- a/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy
+++ b/src/groovy/org/grails/plugins/fileviewer/FileLocations.groovy
@@ -6,6 +6,17 @@ package org.grails.plugins.fileviewer
  */
 
 class FileLocations {
-	List<String> locations
+    List<String> locations
     Integer linesCount
+    Boolean areDoubleDotsAllowedInFilePath = false
+
+    boolean isValidPath(String filePath) {
+        boolean isValid = this.locations.any {filePath.startsWith(it)}
+        if(isValid && !areDoubleDotsAllowedInFilePath) {
+            isValid = !filePath.contains("..")
+        }
+        isValid
+    }
+
+
 }