Adding additional verifications for upload

author: Martin Stockhammer <martin_s@apache.org> 2019-02-24 14:56:11 +0100
committer: Martin Stockhammer <martin_s@apache.org> 2019-02-25 08:41:39 +0100
commit: c5bcbaabedc323e778fe03289cbbfaa35b25e2d8 (patch)
tree: adce99847903cf5428754246dc13a40cdac9b145 /archiva-modules/archiva-web/archiva-web-common/src/main
parent: 52b971c59333153f4fbeb779a4c1373316f579c4 (diff)
download: archiva-c5bcbaabedc323e778fe03289cbbfaa35b25e2d8.tar.gz
archiva-c5bcbaabedc323e778fe03289cbbfaa35b25e2d8.zip
1 files changed, 6 insertions, 3 deletions
diff --git a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
index e4d6676d6..d5f0ec54e 100644
--- a/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
+++ b/archiva-modules/archiva-web/archiva-web-common/src/main/java/org/apache/archiva/web/api/DefaultFileUploadService.java
@@ -70,6 +70,7 @@ import java.io.FileOutputStream;
 import java.io.FileWriter;
 import java.io.IOException;
 import java.nio.file.Files;
+import java.nio.file.Paths;
 import java.nio.file.StandardCopyOption;
 import java.text.DateFormat;
 import java.text.SimpleDateFormat;
@@ -183,15 +184,17 @@ public class DefaultFileUploadService
     public Boolean deleteFile( String fileName )
         throws ArchivaRestServiceException
     {
-        File file = new File( SystemUtils.getJavaIoTmpDir(), fileName );
+        // we make sure, that there are no other path components in the filename:
+        String checkedFileName = Paths.get(fileName).getFileName().toString();
+        File file = new File( SystemUtils.getJavaIoTmpDir(), checkedFileName );
         log.debug( "delete file:{},exists:{}", file.getPath(), file.exists() );
         boolean removed = getSessionFileMetadatas().remove( new FileMetadata( fileName ) );
         // try with full name as ui only know the file name
         if ( !removed )
         {
-            /* unused */ getSessionFileMetadatas().remove( new FileMetadata( file.getPath() ) );
+            removed = getSessionFileMetadatas().remove( new FileMetadata( file.getPath() ) );
         }
-        if ( file.exists() )
+        if (removed && file.exists() )
         {
             return file.delete();
         }
author	Martin Stockhammer <martin_s@apache.org>	2019-02-24 14:56:11 +0100
committer	Martin Stockhammer <martin_s@apache.org>	2019-02-25 08:41:39 +0100
commit	c5bcbaabedc323e778fe03289cbbfaa35b25e2d8 (patch)
tree	adce99847903cf5428754246dc13a40cdac9b145 /archiva-modules/archiva-web/archiva-web-common/src/main
parent	52b971c59333153f4fbeb779a4c1373316f579c4 (diff)
download	archiva-c5bcbaabedc323e778fe03289cbbfaa35b25e2d8.tar.gz archiva-c5bcbaabedc323e778fe03289cbbfaa35b25e2d8.zip