diff options
Diffstat (limited to 'src/main')
-rw-r--r-- | src/main/java/org/traccar/api/resource/ServerResource.java | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/src/main/java/org/traccar/api/resource/ServerResource.java b/src/main/java/org/traccar/api/resource/ServerResource.java index 59ef642c8..1d88e5abc 100644 --- a/src/main/java/org/traccar/api/resource/ServerResource.java +++ b/src/main/java/org/traccar/api/resource/ServerResource.java @@ -140,7 +140,12 @@ public class ServerResource extends BaseResource { permissionsService.checkAdmin(getUserId()); String root = config.getString(Keys.WEB_OVERRIDE, config.getString(Keys.WEB_PATH)); - var outputPath = Paths.get(root, path); + var rootPath = Paths.get(root).normalize(); + var outputPath = rootPath.resolve(path).normalize(); + if (!outputPath.startsWith(rootPath)) { + return Response.status(Response.Status.BAD_REQUEST).build(); + } + var directoryPath = outputPath.getParent(); if (directoryPath != null) { Files.createDirectories(directoryPath); |