File jboss-3.2.5-CVE-2006-5750.patch of Package tschehboss

Overview Repositories Revisions Requests Users Attributes Meta

File jboss-3.2.5-CVE-2006-5750.patch of Package tschehboss

# diff created from files as found at:
# http://fisheye.jboss.org/changelog/JBossAS/?cs=58457
# 
Index: jboss-3.2.5-src/console/src/main/org/jboss/console/manager/DeploymentFileRepository.java
===================================================================
--- jboss-3.2.5-src.orig/console/src/main/org/jboss/console/manager/DeploymentFileRepository.java
+++ jboss-3.2.5-src/console/src/main/org/jboss/console/manager/DeploymentFileRepository.java
@@ -1,8 +1,23 @@
 /*
- * JBoss, the OpenSource J2EE webOS
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
  *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.jboss.console.manager;
 
@@ -16,7 +31,7 @@ import java.io.File;
 import java.io.FileOutputStream;
 import java.io.PrintWriter;
 import java.io.IOException;
-import java.net.URL;
+
 
 /**
  * This class wraps the file system
@@ -29,16 +44,16 @@ import java.net.URL;
  * corresponds to the base file name.
  *
  * @author <a href="mailto:bill@jboss.org">Bill Burke</a>
- * @version $Revision: 1.1.2.1 $
- *
- **/
+ * @author <a href="mailto:dimitris@jboss.org">Dimitris Andreadis</a>
+ * @version $Revision: 58457 $
+ */
 public class DeploymentFileRepository extends ServiceMBeanSupport implements DeploymentFileRepositoryMBean
 {
    private String baseDir;
    private File base;
+   
    /** The server's home directory, for relative paths. */
    protected File serverHome;
-   protected URL serverHomeURL;
 
    /**
     *
@@ -52,7 +67,7 @@ public class DeploymentFileRepository ex
    public void store(String folder, String name, String fileExtension, String data, boolean noHotDeploy) throws IOException
    {
       System.out.println("store called");
-      File dir = new File(base, folder);
+      File dir = getFile(base, folder);
       System.out.println("respository folder: " + dir.toString());
       System.out.println("absolute: " + dir.getAbsolutePath());
       if (!dir.exists())
@@ -63,7 +78,7 @@ public class DeploymentFileRepository ex
          }
       }
       String filename = name.replace(' ', '_') + fileExtension;
-      File file = new File(dir, filename);
+      File file = getFile(dir, filename);
       File tmpfile = new File(dir, filename + ".tmp");
       PrintWriter writer = new PrintWriter(new FileOutputStream(tmpfile));
       writer.write(data);
@@ -81,18 +96,20 @@ public class DeploymentFileRepository ex
    }
 
    public void remove(String folder, String name, String fileExtension)
+     throws IOException
    {
-      File dir = new File(base, folder);
+      File dir = getFile(base, folder);
       String filename = name.replace(' ', '_') + fileExtension;
-      File file = new File(dir, filename);
+      File file = getFile(dir, filename);
       file.delete();
    }
 
    public boolean isStored(String folder, String name, String fileExtension)
+     throws IOException
    {
-      File dir = new File(base, folder);
+      File dir = getFile(base, folder);
       String filename = name.replace(' ', '_') + fileExtension;
-      File file = new File(dir, filename);
+      File file = getFile(dir, filename);
       return file.exists();
    }
 
@@ -102,9 +119,10 @@ public class DeploymentFileRepository ex
    }
 
    public void setBaseDir(String baseDir)
+     throws IOException
    {
       this.baseDir = baseDir;
-      this.base = new File(serverHome, baseDir);
+      this.base = getFile(serverHome, baseDir);      
    }
 
 
@@ -118,4 +136,20 @@ public class DeploymentFileRepository ex
       return super.preRegister(server, name);
    }
 
+   /**
+    * Wrap the File(File parent, String child) CTOR to make sure the
+    * resulting child is indeed under the parent hierarchy,
+    * i.e. don't allow a ../../../rogue-child.txt
+    * 
+    * see JBAS-3861
+    */
+   private File getFile(File parent, String child) throws IOException
+   {
+      File childFile = new File(parent, child);
+      
+      if (childFile.getCanonicalPath().indexOf(parent.getCanonicalPath()) != 0)
+         throw new IllegalArgumentException("child '" + child + "' should be a child of parent '" + parent + "'");
+      
+      return childFile;
+   }
 }
Index: jboss-3.2.5-src/console/src/main/org/jboss/console/manager/DeploymentFileRepositoryMBean.java
===================================================================
--- jboss-3.2.5-src.orig/console/src/main/org/jboss/console/manager/DeploymentFileRepositoryMBean.java
+++ jboss-3.2.5-src/console/src/main/org/jboss/console/manager/DeploymentFileRepositoryMBean.java
@@ -1,8 +1,23 @@
 /*
- * JBoss, the OpenSource J2EE webOS
+ * JBoss, Home of Professional Open Source.
+ * Copyright 2006, Red Hat Middleware LLC, and individual contributors
+ * as indicated by the @author tags. See the copyright.txt file in the
+ * distribution for a full listing of individual contributors.
  *
- * Distributable under LGPL license.
- * See terms of license at gnu.org.
+ * This is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU Lesser General Public License as
+ * published by the Free Software Foundation; either version 2.1 of
+ * the License, or (at your option) any later version.
+ *
+ * This software is distributed in the hope that it will be useful,
+ * but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ * Lesser General Public License for more details.
+ *
+ * You should have received a copy of the GNU Lesser General Public
+ * License along with this software; if not, write to the Free
+ * Software Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA
+ * 02110-1301 USA, or see the FSF site: http://www.fsf.org.
  */
 package org.jboss.console.manager;
 
@@ -11,21 +26,21 @@ import org.jboss.system.ServiceMBean;
 import java.io.IOException;
 
 /**
- * Comment
+ * MBean interface
  *
  * @author <a href="mailto:bill@jboss.org">Bill Burke</a>
- * @version $Revision: 1.1.2.1 $
- *
- **/
+ * @author <a href="mailto:dimitris@jboss.org">Dimitris Andreadis</a>
+ * @version $Revision: 58457 $
+ */
 public interface DeploymentFileRepositoryMBean extends ServiceMBean
 {
    void store(String folder, String name, String fileExtension, String data, boolean noHotDeploy) throws IOException;
 
-   void remove(String folder, String name, String fileExtension);
+   void remove(String folder, String name, String fileExtension) throws IOException;
 
-   boolean isStored(String folder, String name, String fileExtension);
+   boolean isStored(String folder, String name, String fileExtension) throws IOException;
 
    String getBaseDir();
 
-   void setBaseDir(String baseDir);
+   void setBaseDir(String baseDir) throws IOException;
 }

Places

File jboss-3.2.5-CVE-2006-5750.patch of Package tschehboss

Places