diff options
| author | Greg Lewis <glewis@FreeBSD.org> | 2005-04-27 20:31:32 +0000 |
|---|---|---|
| committer | Greg Lewis <glewis@FreeBSD.org> | 2005-04-27 20:31:32 +0000 |
| commit | 85d91b0060ec2218999d32f46d53c5385d5cf52a (patch) | |
| tree | b78ed281747feda1c179550a934e978c8e804a79 /java/jdk13 | |
| parent | - Update to 3.2 [1] (diff) | |
. Ensure that when files are extracted that their fully resolved path lies
in or below the current working directory. Fixes a security problem with
jar(1).
This fix may change to be compatible with whatever fix Sun applies when
they release the next version of 1.5.
Notes
Notes:
svn path=/head/; revision=134275
Diffstat (limited to 'java/jdk13')
| -rw-r--r-- | java/jdk13/files/patch-j2sdk1.3.1-jar-Main.java | 56 | ||||
| -rw-r--r-- | java/jdk13/files/patch-j2sdk1.3.1-resources-jar.properties | 11 |
2 files changed, 67 insertions, 0 deletions
diff --git a/java/jdk13/files/patch-j2sdk1.3.1-jar-Main.java b/java/jdk13/files/patch-j2sdk1.3.1-jar-Main.java new file mode 100644 index 000000000000..4b40f3e7c6aa --- /dev/null +++ b/java/jdk13/files/patch-j2sdk1.3.1-jar-Main.java @@ -0,0 +1,56 @@ +--- ../src/share/classes/sun/tools/jar/Main.java 11 Jul 2001 21:39:05 -0000 1.1.1.1 ++++ ../src/share/classes/sun/tools/jar/Main.java 27 Apr 2005 05:07:30 -0000 +@@ -35,6 +35,7 @@ + Hashtable filesTable = new Hashtable(); + Vector paths = new Vector(); + Vector v; ++ String cwd; + CRC32 crc32 = new CRC32(); + /* cflag: create + * uflag: update +@@ -671,6 +672,19 @@ + * Extracts specified entries from JAR file. + */ + void extract(InputStream in, String files[]) throws IOException { ++ // Current working directory ++ ++ cwd = System.getProperty("user.dir"); ++ if (cwd == null) { ++ fatalError(getMsg("error.no.cwd")); ++ } ++ cwd = (new File(cwd)).getCanonicalPath(); ++ if (!cwd.endsWith(File.separator)) { ++ cwd += File.separator; ++ } ++ ++ // Extract the files ++ + ZipInputStream zis = new ZipInputStream(in); + ZipEntry e; + while ((e = zis.getNextEntry()) != null) { +@@ -695,6 +709,10 @@ + void extractFile(ZipInputStream zis, ZipEntry e) throws IOException { + String name = e.getName(); + File f = new File(e.getName().replace('/', File.separatorChar)); ++ if (!f.getCanonicalPath().startsWith(cwd)) { ++ output(formatMsg("out.ignore.entry", name)); ++ return; ++ } + if (e.isDirectory()) { + if (!f.exists() && !f.mkdirs() || !f.isDirectory()) { + throw new IOException(formatMsg("error.create.dir", f.getPath())); +@@ -705,6 +723,10 @@ + } else { + if (f.getParent() != null) { + File d = new File(f.getParent()); ++ if (!d.getCanonicalPath().startsWith(cwd)) { ++ output(formatMsg("out.ignore.entry", name)); ++ return; ++ } + if (!d.exists() && !d.mkdirs() || !d.isDirectory()) { + throw new IOException(formatMsg("error.create.dir", d.getPath())); + } +Index: j2sdk1.3.1/src/share/classes/sun/tools/jar/resources/jar.properties +=================================================================== +RCS file: /var/jcvs/javasrc_1_3_scsl/j2sdk1.3.1/src/share/classes/sun/tools/jar/resources/jar.properties,v +retrieving revision 1.1.1.1 diff --git a/java/jdk13/files/patch-j2sdk1.3.1-resources-jar.properties b/java/jdk13/files/patch-j2sdk1.3.1-resources-jar.properties new file mode 100644 index 000000000000..285bfb2b8a05 --- /dev/null +++ b/java/jdk13/files/patch-j2sdk1.3.1-resources-jar.properties @@ -0,0 +1,11 @@ +--- ../src/share/classes/sun/tools/jar/resources/jar.properties 11 Jul 2001 21:39:05 -0000 1.1.1.1 ++++ ../src/share/classes/sun/tools/jar/resources/jar.properties 27 Apr 2005 05:07:52 -0000 +@@ -30,6 +30,8 @@ + {0} : could not create directory + error.incorrect.length=\ + incorrect length while processing: {0} ++error.no.cwd=\ ++ {0} : could not determine current working directory + out.added.manifest=\ + added manifest + out.update.manifest=\ |