Description: fix arbitrary file overwrite via poison null byte
Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814

WARNING: this patch contains CRLF line endings, editing it may break it

Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
===================================================================
--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 10:56:14.286994776 -0500
+++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java	2013-11-07 11:03:26.963005854 -0500
@@ -712,6 +712,26 @@
         // read values
         in.defaultReadObject();
 
+        /* One expected use of serialization is to migrate HTTP sessions
+         * containing a DiskFileItem between JVMs. Particularly if the JVMs are
+         * on different machines It is possible that the repository location is
+         * not valid so validate it.
+         */
+        if (repository != null) {
+            if (repository.isDirectory()) {
+                // Check path for nulls
+                if (repository.getPath().contains("\0")) {
+                    throw new IOException("The repository [" +
+                            repository.getPath() +
+                            "] contains a null character");
+                }
+            } else {
+                throw new IOException("The repository [" +
+                        repository.getAbsolutePath() +
+                        "] is not a directory");
+            }
+        }
+
         OutputStream output = getOutputStream();
         if (cachedContent != null) {
             output.write(cachedContent);