1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
Description: fix arbitrary file overwrite via poison null byte
Origin: backport, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601
Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174
Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814
WARNING: this patch contains CRLF line endings, editing it may break it
Index: libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java
===================================================================
--- libcommons-fileupload-java-1.2.2.orig/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 10:56:14.286994776 -0500
+++ libcommons-fileupload-java-1.2.2/src/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 11:03:26.963005854 -0500
@@ -712,6 +712,26 @@
// read values
in.defaultReadObject();
+ /* One expected use of serialization is to migrate HTTP sessions
+ * containing a DiskFileItem between JVMs. Particularly if the JVMs are
+ * on different machines It is possible that the repository location is
+ * not valid so validate it.
+ */
+ if (repository != null) {
+ if (repository.isDirectory()) {
+ // Check path for nulls
+ if (repository.getPath().contains("\0")) {
+ throw new IOException("The repository [" +
+ repository.getPath() +
+ "] contains a null character");
+ }
+ } else {
+ throw new IOException("The repository [" +
+ repository.getAbsolutePath() +
+ "] is not a directory");
+ }
+ }
+
OutputStream output = getOutputStream();
if (cachedContent != null) {
output.write(cachedContent);
|
