Lanmikeman/Launcher
1
1
Fork 0
mirror of https://github.com/GravitLauncher/Launcher synced 2024-11-15 11:39:11 +03:00
Code Issues Projects Releases Packages Wiki Activity

Merge pull request #301 from radioegor146/patch-2

Browse source 
fix bad security check
This commit is contained in:
Gravit 2019-06-27 08:51:36 +07:00 committed by GitHub
commit 5192641e0b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 2 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
LaunchServer/src/main/java/pro/gravit/launchserver/websocket/fileserver/FileServerHandler.java
View file

@ -17,6 +17,7 @@
import java.io.UnsupportedEncodingException; import java.io.UnsupportedEncodingException;
import java.net.URLDecoder; import java.net.URLDecoder;
import java.nio.file.Path; import java.nio.file.Path;
import java.nio.file.Paths;
import java.text.SimpleDateFormat; import java.text.SimpleDateFormat;
import java.util.Calendar; import java.util.Calendar;
import java.util.Date; import java.util.Date;
@ -189,15 +190,7 @@ private static String sanitizeUri(String uri) {
// Convert file separators. // Convert file separators.
uri = uri.replace(File.separatorChar, '/'); uri = uri.replace(File.separatorChar, '/');
// Simplistic dumb security check. return Paths.get(uri).normalize().toString().substring(1);
// You will have to do something serious in the production environment.
if (uri.contains(File.separator + '.') ||
uri.contains('.' + File.separator) ||
uri.charAt(0) == '.' || uri.charAt(uri.length() - 1) == '.' ||
INSECURE_URI.matcher(uri).matches()) {
return null;
}
return uri.substring(1);
} }
private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*"); private static final Pattern ALLOWED_FILE_NAME = Pattern.compile("[^-\\._]?[^<>&\\\"]*");