1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
Description: Validation of filename params in ReplicationHandler
This is a backport of upstream patch available in commit
ae789c252687dc8a18bfdb677f2e6cd14570e4db made by janhoy <janhoy@apache.org>
Author: Lucas Kanashiro <kanashiro@debian.org>
Last-Updated: 2017-07-21
--- a/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java
+++ b/solr/core/src/java/org/apache/solr/handler/ReplicationHandler.java
@@ -42,6 +42,8 @@
import java.io.*;
import java.nio.ByteBuffer;
import java.nio.channels.FileChannel;
+import java.nio.file.Path;
+import java.nio.file.Paths;
import java.text.NumberFormat;
import java.util.*;
import java.util.concurrent.locks.ReentrantLock;
@@ -1010,8 +1012,8 @@
}
public void write(OutputStream out) throws IOException {
- String fileName = params.get(FILE);
- String cfileName = params.get(CONF_FILE_SHORT);
+ String fileName = validateFilenameOrError(params.get(FILE));
+ String cfileName = validateFilenameOrError(params.get(CONF_FILE_SHORT));
String sOffset = params.get(OFFSET);
String sLen = params.get(LEN);
String compress = params.get(COMPRESSION);
@@ -1091,6 +1093,21 @@
}
}
+ // Throw exception on directory traversal attempts
+ protected String validateFilenameOrError(String filename) {
+ if (filename != null) {
+ Path filePath = Paths.get(filename);
+ for (Path subpath : filePath) {
+ if ("..".equals(subpath.toString())) {
+ throw new SolrException(ErrorCode.FORBIDDEN, "File name cannot contain ..");
+ }
+ }
+ if (filePath.isAbsolute()) {
+ throw new SolrException(ErrorCode.FORBIDDEN, "File name must be relative");
+ }
+ return filename;
+ } else return null;
+ }
/**
* Used to write a marker for EOF
|
