Inicio Explorar Ayuda
Registro Iniciar sesión
apache
/
hadoop
espejo de https://github.com/apache/hadoop.git
2
0
Fork 1
Archivos Incidencias 0 Wiki
Explorar el Código

Additional check when unpacking archives. Contributed by Jason Lowe and Akira Ajisaka.

Akira Ajisaka hace 7 años
padre
5b3a6e3678
commit
bd98d4e77c
Se han modificado 2 ficheros con 46 adiciones y 8 borrados
Unificar vista Mostrar estadísticas de diff
  1. 13 2
      hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java
  2. 33 6
      hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestFileUtil.java

+ 13 - 2
hadoop-common-project/hadoop-common/src/main/java/org/apache/hadoop/fs/FileUtil.java
Ver fichero 

@@ -585,15 +585,20 @@ public class FileUtil {
 
   public static void unZip(File inFile, File unzipDir) throws IOException {
 
   public static void unZip(File inFile, File unzipDir) throws IOException {
 
     Enumeration<? extends ZipEntry> entries;
 
     Enumeration<? extends ZipEntry> entries;
 
     ZipFile zipFile = new ZipFile(inFile);
 
     ZipFile zipFile = new ZipFile(inFile);
 
+    String targetDirPath = unzipDir.getCanonicalPath() + File.separator;
 
 
 
     try {
 
     try {
 
       entries = zipFile.entries();
 
       entries = zipFile.entries();
 
       while (entries.hasMoreElements()) {
 
       while (entries.hasMoreElements()) {
 
         ZipEntry entry = entries.nextElement();
 
         ZipEntry entry = entries.nextElement();
 
         if (!entry.isDirectory()) {
 
         if (!entry.isDirectory()) {
 
+          File file = new File(unzipDir, entry.getName());
 
+          if (!file.getCanonicalPath().startsWith(targetDirPath)) {
 
+            throw new IOException("expanding " + entry.getName()
 
+                + " would create file outside of " + unzipDir);
 
+          }
 
           InputStream in = zipFile.getInputStream(entry);
 
           InputStream in = zipFile.getInputStream(entry);
 
           try {
 
           try {
 
-            File file = new File(unzipDir, entry.getName());
 
             if (!file.getParentFile().mkdirs()) {
 
             if (!file.getParentFile().mkdirs()) {
 
               if (!file.getParentFile().isDirectory()) {
 
               if (!file.getParentFile().isDirectory()) {
 
                 throw new IOException("Mkdirs failed to create " +
 
                 throw new IOException("Mkdirs failed to create " +
 
@@ -703,6 +708,13 @@ public class FileUtil {
 
 
 
   private static void unpackEntries(TarArchiveInputStream tis,
 
   private static void unpackEntries(TarArchiveInputStream tis,
 
       TarArchiveEntry entry, File outputDir) throws IOException {
 
       TarArchiveEntry entry, File outputDir) throws IOException {
 
+    String targetDirPath = outputDir.getCanonicalPath() + File.separator;
 
+    File outputFile = new File(outputDir, entry.getName());
 
+    if (!outputFile.getCanonicalPath().startsWith(targetDirPath)) {
 
+      throw new IOException("expanding " + entry.getName()
 
+          + " would create entry outside of " + outputDir);
 
+    }
 
+
 
     if (entry.isDirectory()) {
 
     if (entry.isDirectory()) {
 
       File subDir = new File(outputDir, entry.getName());
 
       File subDir = new File(outputDir, entry.getName());
 
       if (!subDir.mkdirs() && !subDir.isDirectory()) {
 
       if (!subDir.mkdirs() && !subDir.isDirectory()) {
 
@@ -717,7 +729,6 @@ public class FileUtil {
 
       return;
 
       return;
 
     }
 
     }
 
 
 
-    File outputFile = new File(outputDir, entry.getName());
 
     if (!outputFile.getParentFile().exists()) {
 
     if (!outputFile.getParentFile().exists()) {
 
       if (!outputFile.getParentFile().mkdirs()) {
 
       if (!outputFile.getParentFile().mkdirs()) {
 
         throw new IOException("Mkdirs failed to create tar internal dir "
 
         throw new IOException("Mkdirs failed to create tar internal dir "

+ 33 - 6
hadoop-common-project/hadoop-common/src/test/java/org/apache/hadoop/fs/TestFileUtil.java
Ver fichero 

@@ -37,6 +37,7 @@ import java.net.URI;
 
 import java.net.URISyntaxException;
 
 import java.net.URISyntaxException;
 
 import java.net.URL;
 
 import java.net.URL;
 
 import java.net.UnknownHostException;
 
 import java.net.UnknownHostException;
 
+import java.nio.charset.StandardCharsets;
 
 import java.util.ArrayList;
 
 import java.util.ArrayList;
 
 import java.util.Arrays;
 
 import java.util.Arrays;
 
 import java.util.Collections;
 
 import java.util.Collections;
 
@@ -679,10 +680,8 @@ public class TestFileUtil {
 
   
   
   @Test (timeout = 30000)
 
   @Test (timeout = 30000)
 
   public void testUnZip() throws IOException {
 
   public void testUnZip() throws IOException {
 
-    // make sa simple zip
 
     setupDirs();
 
     setupDirs();
 
-    
-    // make a simple tar:
 
+    // make a simple zip
 
     final File simpleZip = new File(del, FILE);
 
     final File simpleZip = new File(del, FILE);
 
     OutputStream os = new FileOutputStream(simpleZip); 
     OutputStream os = new FileOutputStream(simpleZip); 
     ZipOutputStream tos = new ZipOutputStream(os);
 
     ZipOutputStream tos = new ZipOutputStream(os);
 
@@ -699,7 +698,7 @@ public class TestFileUtil {
 
       tos.close();
 
       tos.close();
 
     }
 
     }
 
     
     
-    // successfully untar it into an existing dir:
 
+    // successfully unzip it into an existing dir:
 
     FileUtil.unZip(simpleZip, tmp);
 
     FileUtil.unZip(simpleZip, tmp);
 
     // check result:
 
     // check result:
 
     assertTrue(new File(tmp, "foo").exists());
 
     assertTrue(new File(tmp, "foo").exists());
 
@@ -714,8 +713,36 @@ public class TestFileUtil {
 
     } catch (IOException ioe) {
 
     } catch (IOException ioe) {
 
       // okay
 
       // okay
 
     }
 
     }
 
-  }  
-  
+  }
 
+
 
+  @Test (timeout = 30000)
 
+  public void testUnZip2() throws IOException {
 
+    setupDirs();
 
+    // make a simple zip
 
+    final File simpleZip = new File(del, FILE);
 
+    OutputStream os = new FileOutputStream(simpleZip);
 
+    try (ZipOutputStream tos = new ZipOutputStream(os)) {
 
+      // Add an entry that contains invalid filename
 
+      ZipEntry ze = new ZipEntry("../foo");
 
+      byte[] data = "some-content".getBytes(StandardCharsets.UTF_8);
 
+      ze.setSize(data.length);
 
+      tos.putNextEntry(ze);
 
+      tos.write(data);
 
+      tos.closeEntry();
 
+      tos.flush();
 
+      tos.finish();
 
+    }
 
+
 
+    // Unzip it into an existing dir
 
+    try {
 
+      FileUtil.unZip(simpleZip, tmp);
 
+      Assert.fail("unZip should throw IOException.");
 
+    } catch (IOException e) {
 
+      GenericTestUtils.assertExceptionContains(
 
+          "would create file outside of", e);
 
+    }
 
+  }
 
+
 
   @Test (timeout = 30000)
 
   @Test (timeout = 30000)
 
   /*
 
   /*
 
    * Test method copy(FileSystem srcFS, Path src, File dst, boolean deleteSource, Configuration conf)
 
    * Test method copy(FileSystem srcFS, Path src, File dst, boolean deleteSource, Configuration conf)