Perform checks before saving uploaded file(s)

deegree · Jan 25, 2019 · fa34625 · fa34625
1 parent 23586af
commit fa34625
Showing 1 changed file with 13 additions and 3 deletions.
diff --git a/...ces/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java b/...ces/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
@@ -50,6 +50,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.FileUtils;
 import org.deegree.commons.config.DeegreeWorkspace;
 import org.deegree.commons.utils.Pair;
 
@@ -84,15 +85,24 @@ public static void upload( String path, HttpServletRequest req, HttpServletRespo
                 // unzip a workspace
                 String wsName = p.second.substring( 0, p.second.length() - 4 );
                 String dirName = p.second.endsWith( ".zip" ) ? wsName : p.second;
-                File dir = new File( getWorkspaceRoot(), dirName );
-                if ( isWorkspace( dirName ) ) {
+                File workspaceRoot = new File ( getWorkspaceRoot() );
+                File dir = new File( workspaceRoot, dirName );
+                if ( !FileUtils.directoryContains( workspaceRoot, dir ) ) {
+                    IOUtils.write( "Workspace " + wsName + " invalid.\n", resp.getOutputStream() );
+                    return;
+                } else if ( isWorkspace( dirName ) ) {
                     IOUtils.write( "Workspace " + wsName + " exists.\n", resp.getOutputStream() );
                     return;
                 }
                 unzip( in, dir );
                 IOUtils.write( "Workspace " + wsName + " uploaded.\n", resp.getOutputStream() );
             } else {
-                File dest = new File( p.first.getLocation(), p.second );
+                File workspaceDir = p.first.getLocation();
+                File dest = new File( workspaceDir, p.second );
+                if ( !FileUtils.directoryContains( workspaceDir, dest ) ) {
+                    IOUtils.write( "Unable to upload file: " + p.second + ".\n", resp.getOutputStream() );
+                    return;
+                }
                 if ( !dest.getParentFile().exists() && !dest.getParentFile().mkdirs() ) {
                     IOUtils.write( "Unable to create parent directory for upload.\n", resp.getOutputStream() );
                     return;