From 82b53e48e55cbbe55de152b1b9e63ccc4bb80d04 Mon Sep 17 00:00:00 2001 From: Anton Tananaev Date: Sat, 16 Dec 2023 07:31:12 -0800 Subject: Sanitize upload path --- src/main/java/org/traccar/api/resource/ServerResource.java | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) (limited to 'src') diff --git a/src/main/java/org/traccar/api/resource/ServerResource.java b/src/main/java/org/traccar/api/resource/ServerResource.java index 59ef642c8..1d88e5abc 100644 --- a/src/main/java/org/traccar/api/resource/ServerResource.java +++ b/src/main/java/org/traccar/api/resource/ServerResource.java @@ -140,7 +140,12 @@ public class ServerResource extends BaseResource { permissionsService.checkAdmin(getUserId()); String root = config.getString(Keys.WEB_OVERRIDE, config.getString(Keys.WEB_PATH)); - var outputPath = Paths.get(root, path); + var rootPath = Paths.get(root).normalize(); + var outputPath = rootPath.resolve(path).normalize(); + if (!outputPath.startsWith(rootPath)) { + return Response.status(Response.Status.BAD_REQUEST).build(); + } + var directoryPath = outputPath.getParent(); if (directoryPath != null) { Files.createDirectories(directoryPath); -- cgit v1.2.3