url fileserver fixes (#309)

This commit is contained in:
Egor Koleda 2019-07-28 18:57:52 +03:00 committed by Gravit
parent 0031200679
commit 02b652ffd5
2 changed files with 19 additions and 22 deletions

View file

@ -15,6 +15,8 @@
import java.io.FileNotFoundException; import java.io.FileNotFoundException;
import java.io.RandomAccessFile; import java.io.RandomAccessFile;
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths; import java.nio.file.Paths;
@ -77,7 +79,15 @@ public void channelRead0(ChannelHandlerContext ctx, FullHttpRequest request) thr
} }
final String uri = request.uri(); final String uri = request.uri();
final String path = sanitizeUri(uri); final String path;
try {
path = Paths.get(new URI(uri).getPath()).normalize().toString().substring(1);
} catch (URISyntaxException e) {
sendError(ctx, BAD_REQUEST);
return;
}
if (path == null) { if (path == null) {
sendError(ctx, FORBIDDEN); sendError(ctx, FORBIDDEN);
return; return;
@ -172,26 +182,6 @@ public void exceptionCaught(ChannelHandlerContext ctx, Throwable cause) {
} }
} }
private static final Pattern INSECURE_URI = Pattern.compile(".*[<>&\"].*");
private static String sanitizeUri(String uri) {
// Decode the path.
try {
uri = URLDecoder.decode(uri, "UTF-8");
} catch (UnsupportedEncodingException e) {
throw new Error(e);
}
if (uri.isEmpty() || uri.charAt(0) != '/') {
return null;
}
// Convert file separators.
uri = uri.replace(File.separatorChar, '/');
return Paths.get(uri).normalize().toString().substring(1);
}
private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*"); private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*");
private static void sendListing(ChannelHandlerContext ctx, File dir, String dirPath) { private static void sendListing(ChannelHandlerContext ctx, File dir, String dirPath) {

View file

@ -49,8 +49,15 @@ public void download(String base, List<DownloadTask> applies, Path dstDirFile, D
.build()) { .build()) {
HttpGet get = null; HttpGet get = null;
URI baseUri = new URI(base);
String scheme = baseUri.getScheme();
String host = baseUri.getHost();
int port = baseUri.getPort();
if (port != -1)
host = host + ":" + port;
String path = baseUri.getPath();
for (DownloadTask apply : applies) { for (DownloadTask apply : applies) {
URI u = new URL(base.concat(IOHelper.urlEncode(apply.apply).replace("%2F", "/"))).toURI(); URI u = new URI(scheme, host, path + apply.apply, "", "");
callback.stateChanged(apply.apply, 0L, apply.size); callback.stateChanged(apply.apply, 0L, apply.size);
Path targetPath = dstDirFile.resolve(apply.apply); Path targetPath = dstDirFile.resolve(apply.apply);
LogHelper.debug("Download URL: %s to file %s dir: %s", u.toString(), targetPath.toAbsolutePath().toString(), dstDirFile.toAbsolutePath().toString()); LogHelper.debug("Download URL: %s to file %s dir: %s", u.toString(), targetPath.toAbsolutePath().toString(), dstDirFile.toAbsolutePath().toString());