hazza/DSpace
1
0
Fork 0
mirror of https://github.com/DSpace/DSpace.git synced 2025-10-12 12:33:18 +00:00
Code Issues Packages Projects Releases Wiki Activity

(Larry Stone)

Browse Source 
- Added a sanity check to ensure that bad or corrupted file names to not retrieve an unintended file.


git-svn-id: http://scm.dspace.org/svn/repo/trunk@1526 9c30dcfa-912a-0410-8fc2-9e0234be79fd
This commit is contained in:
Scott Phillips
2006-05-26 14:41:34 +00:00
parent 799f1b86b6
commit fbb4a4d77e
1 changed files with 9 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
dspace/src/org/dspace/storage/bitstore/BitstreamStorageManager.java
View File

@@ -788,6 +788,15 @@ public class BitstreamStorageManager
sInternalId = sInternalId.substring(REGISTERED_FLAG.length()); sInternalId = sInternalId.substring(REGISTERED_FLAG.length());
sIntermediatePath = ""; sIntermediatePath = "";
} else { } else {
// Sanity Check: If the internal ID contains a
// pathname separator, it's probably an attempt to
// make a path traversal attack, so ignore the path
// prefix. The internal-ID is supposed to be just a
// filename, so this will not affect normal operation.
if (sInternalId.indexOf(File.separator) != -1)
sInternalId = sInternalId.substring(sInternalId.lastIndexOf(File.separator)+1);
sIntermediatePath = getIntermediatePath(sInternalId); sIntermediatePath = getIntermediatePath(sInternalId);
} }