diff options
author | Anton Tananaev <anton@traccar.org> | 2023-12-16 07:31:12 -0800 |
---|---|---|
committer | Anton Tananaev <anton@traccar.org> | 2023-12-16 07:31:12 -0800 |
commit | 82b53e48e55cbbe55de152b1b9e63ccc4bb80d04 (patch) | |
tree | 52fc395a1b8b53812923949b20b081e3b814b284 /src/main/java/org | |
parent | 2426e050ca6d4fb163e4163a8f713da32064aaf7 (diff) | |
download | trackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.tar.gz trackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.tar.bz2 trackermap-server-82b53e48e55cbbe55de152b1b9e63ccc4bb80d04.zip |
Sanitize upload path
Diffstat (limited to 'src/main/java/org')
-rw-r--r-- | src/main/java/org/traccar/api/resource/ServerResource.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/api/resource/ServerResource.java b/src/main/java/org/traccar/api/resource/ServerResource.java index 59ef642c8..1d88e5abc 100644 --- a/src/main/java/org/traccar/api/resource/ServerResource.java +++ b/src/main/java/org/traccar/api/resource/ServerResource.java @@ -140,7 +140,12 @@ public class ServerResource extends BaseResource { permissionsService.checkAdmin(getUserId()); String root = config.getString(Keys.WEB_OVERRIDE, config.getString(Keys.WEB_PATH)); - var outputPath = Paths.get(root, path); + var rootPath = Paths.get(root).normalize(); + var outputPath = rootPath.resolve(path).normalize(); + if (!outputPath.startsWith(rootPath)) { + return Response.status(Response.Status.BAD_REQUEST).build(); + } + var directoryPath = outputPath.getParent(); if (directoryPath != null) { Files.createDirectories(directoryPath); |