Skip to content

Commit

Permalink
Multiple Path Traversal security issues
Browse files Browse the repository at this point in the history
  • Loading branch information
ruolli committed Sep 5, 2019
1 parent ea4a097 commit cefbb94
Show file tree
Hide file tree
Showing 3 changed files with 5 additions and 3 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -355,7 +355,7 @@ private URL findPathConsideringContracts(ClassLoader loader,
} else if (root == null) {
String contractName = ctx.getExternalContext().getRequestParameterMap()
.get("con");
if (null != contractName && 0 < contractName.length()) {
if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
contracts = new ArrayList<>();
contracts.add(contractName);
} else {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -351,7 +351,7 @@ private String trimLeadingSlash(String s) {
}
}

private static boolean nameContainsForbiddenSequence(String name) {
static boolean nameContainsForbiddenSequence(String name) {
boolean result = false;
if (name != null) {
name = name.toLowerCase();
Expand Down Expand Up @@ -567,6 +567,8 @@ private String getLocalePrefix(FacesContext context) {

if(localePrefix != null && !nameContainsForbiddenSequence(localePrefix)){
return localePrefix;
} else {
localePrefix = null;
}

String appBundleName = context.getApplication().getMessageBundle();
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -315,7 +315,7 @@ private String findPathConsideringContracts(LibraryInfo library,
} else if (root == null) {
String contractName = ctx.getExternalContext().getRequestParameterMap()
.get("con");
if (null != contractName && 0 < contractName.length()) {
if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
contracts = new ArrayList<>();
contracts.add(contractName);
} else {
Expand Down

0 comments on commit cefbb94

Please # to comment.