Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-15-SP1:GA
jakarta-commons-fileupload.11150
jakarta-commons-fileupload-CVE-2013-2186.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File jakarta-commons-fileupload-CVE-2013-2186.patch of Package jakarta-commons-fileupload.11150
Index: src/java/org/apache/commons/fileupload/disk/DiskFileItem.java =================================================================== --- src/java/org/apache/commons/fileupload/disk/DiskFileItem.java.orig +++ src/java/org/apache/commons/fileupload/disk/DiskFileItem.java @@ -674,6 +674,26 @@ public class DiskFileItem // read values in.defaultReadObject(); + /* One expected use of serialization is to migrate HTTP sessions + * containing a DiskFileItem between JVMs. Particularly if the JVMs are + * on different machines It is possible that the repository location is + * not valid so validate it. + */ + if (repository != null) { + if (repository.isDirectory()) { + // Check path for nulls + if (repository.getPath().contains("\0")) { + throw new IOException(java.lang.String.format( + "The repository [%s] contains a null character", + repository.getPath())); + } + } else { + throw new IOException(java.lang.String.format( + "The repository [%s] is not a directory", + repository.getAbsolutePath())); + } + } + OutputStream output = getOutputStream(); if (cachedContent != null) { output.write(cachedContent); Index: src/java/org/apache/commons/fileupload/DiskFileUpload.java =================================================================== --- src/java/org/apache/commons/fileupload/DiskFileUpload.java.orig +++ src/java/org/apache/commons/fileupload/DiskFileUpload.java @@ -19,6 +19,8 @@ import java.io.File; import java.util.List; import javax.servlet.http.HttpServletRequest; +import static java.lang.String.format; + /** * <p>High level API for processing file uploads.</p> *
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor