From fa34625bebcd077ca03c52c14338cd88d1c517b2 Mon Sep 17 00:00:00 2001
From: Reijer Copier <reijer.copier@idgis.nl>
Date: Fri, 25 Jan 2019 14:58:08 +0100
Subject: [PATCH] Perform checks before saving uploaded file(s)

---
 .../deegree/services/config/actions/Upload.java  | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java b/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
index b80a6c6191..bbc6766548 100644
--- a/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
+++ b/deegree-services/deegree-services-config/src/main/java/org/deegree/services/config/actions/Upload.java
@@ -50,6 +50,7 @@
 import javax.servlet.http.HttpServletResponse;
 
 import org.apache.commons.io.IOUtils;
+import org.apache.commons.io.FileUtils;
 import org.deegree.commons.config.DeegreeWorkspace;
 import org.deegree.commons.utils.Pair;
 
@@ -84,15 +85,24 @@ public static void upload( String path, HttpServletRequest req, HttpServletRespo
                 // unzip a workspace
                 String wsName = p.second.substring( 0, p.second.length() - 4 );
                 String dirName = p.second.endsWith( ".zip" ) ? wsName : p.second;
-                File dir = new File( getWorkspaceRoot(), dirName );
-                if ( isWorkspace( dirName ) ) {
+                File workspaceRoot = new File ( getWorkspaceRoot() );
+                File dir = new File( workspaceRoot, dirName );
+                if ( !FileUtils.directoryContains( workspaceRoot, dir ) ) {
+                    IOUtils.write( "Workspace " + wsName + " invalid.\n", resp.getOutputStream() );
+                    return;
+                } else if ( isWorkspace( dirName ) ) {
                     IOUtils.write( "Workspace " + wsName + " exists.\n", resp.getOutputStream() );
                     return;
                 }
                 unzip( in, dir );
                 IOUtils.write( "Workspace " + wsName + " uploaded.\n", resp.getOutputStream() );
             } else {
-                File dest = new File( p.first.getLocation(), p.second );
+                File workspaceDir = p.first.getLocation();
+                File dest = new File( workspaceDir, p.second );
+                if ( !FileUtils.directoryContains( workspaceDir, dest ) ) {
+                    IOUtils.write( "Unable to upload file: " + p.second + ".\n", resp.getOutputStream() );
+                    return;
+                }
                 if ( !dest.getParentFile().exists() && !dest.getParentFile().mkdirs() ) {
                     IOUtils.write( "Unable to create parent directory for upload.\n", resp.getOutputStream() );
                     return;