From: Martin Stockhammer <martin_s@apache.org>
Date: Sun, 24 Feb 2019 13:56:11 +0000 (+0100)
Subject: Adding additional verifications for upload
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=747cc55b248022066f5a8a92c6a6cc71b15ed944;p=archiva.git

Adding additional verifications for upload

(cherry picked from commit c5bcbaabedc323e778fe03289cbbfaa35b25e2d8)
---

diff --git a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
index 3a05d8fb9..0e55bdb0c 100644
--- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -184,21 +184,22 @@ public class DefaultFileUploadService
     public Boolean deleteFile( String fileName )
         throws ArchivaRestServiceException
     {
-        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( fileName );
+        // we make sure, that there are no other path components in the filename:
+        String checkedFileName = Paths.get(fileName).getFileName().toString();
+        Path file = SystemUtils.getJavaIoTmpDir().toPath().resolve( checkedFileName );
         log.debug( "delete file:{},exists:{}", file, Files.exists(file) );
         boolean removed = getSessionFileMetadatas().remove( new FileMetadata( fileName ) );
         // try with full name as ui only know the file name
-        if ( !removed )
-        {
-            /* unused */ getSessionFileMetadatas().remove( new FileMetadata( file.toString() ) );
-        }
-        try
-        {
-            Files.deleteIfExists( file );
-        }
-        catch ( IOException e )
-        {
-            log.error("Could not delete file {}: {}", file, e.getMessage(), e);
+        if ( !removed ) {
+            removed = getSessionFileMetadatas().remove(new FileMetadata(file.toString()));
+        }
+        if (removed) {
+            try {
+                Files.deleteIfExists(file);
+                return Boolean.TRUE;
+            } catch (IOException e) {
+                log.error("Could not delete file {}: {}", file, e.getMessage(), e);
+            }
         }
         return Boolean.FALSE;
     }