aboutsummaryrefslogtreecommitdiff
path: root/src/main/java/org/traccar/api
diff options
context:
space:
mode:
authorAnton Tananaev <anton@traccar.org>2023-12-16 07:31:12 -0800
committerAnton Tananaev <anton@traccar.org>2023-12-16 07:31:12 -0800
commit82b53e48e55cbbe55de152b1b9e63ccc4bb80d04 (patch)
tree52fc395a1b8b53812923949b20b081e3b814b284 /src/main/java/org/traccar/api
parent2426e050ca6d4fb163e4163a8f713da32064aaf7 (diff)
downloadtrackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.tar.gz
trackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.tar.bz2
trackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.zip
Sanitize upload path
Diffstat (limited to 'src/main/java/org/traccar/api')
-rw-r--r--src/main/java/org/traccar/api/resource/ServerResource.java7
1 files changed, 6 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/api/resource/ServerResource.java b/src/main/java/org/traccar/api/resource/ServerResource.java
index 59ef642c8..1d88e5abc 100644
--- a/src/main/java/org/traccar/api/resource/ServerResource.java
+++ b/src/main/java/org/traccar/api/resource/ServerResource.java
@@ -140,7 +140,12 @@ public class ServerResource extends BaseResource {
permissionsService.checkAdmin(getUserId());
String root = config.getString(Keys.WEB_OVERRIDE, config.getString(Keys.WEB_PATH));
- var outputPath = Paths.get(root, path);
+ var rootPath = Paths.get(root).normalize();
+ var outputPath = rootPath.resolve(path).normalize();
+ if (!outputPath.startsWith(rootPath)) {
+ return Response.status(Response.Status.BAD_REQUEST).build();
+ }
+
var directoryPath = outputPath.getParent();
if (directoryPath != null) {
Files.createDirectories(directoryPath);