mirror of
https://github.com/GravitLauncher/Launcher
synced 2024-12-23 00:51:01 +03:00
Merge pull request #301 from radioegor146/patch-2
fix bad security check
This commit is contained in:
commit
5192641e0b
1 changed files with 2 additions and 9 deletions
|
@ -17,6 +17,7 @@
|
|||
import java.io.UnsupportedEncodingException;
|
||||
import java.net.URLDecoder;
|
||||
import java.nio.file.Path;
|
||||
import java.nio.file.Paths;
|
||||
import java.text.SimpleDateFormat;
|
||||
import java.util.Calendar;
|
||||
import java.util.Date;
|
||||
|
@ -189,15 +190,7 @@ private static String sanitizeUri(String uri) {
|
|||
// Convert file separators.
|
||||
uri = uri.replace(File.separatorChar, '/');
|
||||
|
||||
// Simplistic dumb security check.
|
||||
// You will have to do something serious in the production environment.
|
||||
if (uri.contains(File.separator + '.') ||
|
||||
uri.contains('.' + File.separator) ||
|
||||
uri.charAt(0) == '.' || uri.charAt(uri.length() - 1) == '.' ||
|
||||
INSECURE_URI.matcher(uri).matches()) {
|
||||
return null;
|
||||
}
|
||||
return uri.substring(1);
|
||||
return Paths.get(uri).normalize().toString().substring(1);
|
||||
}
|
||||
|
||||
private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*");
|
||||
|
|
Loading…
Reference in a new issue