Author: jleroux
Date: Sat Sep 14 08:29:45 2019
New Revision: 1866924
URL:
http://svn.apache.org/viewvc?rev=1866924&view=revLog:
Improved: no functional change
While working on OFBIZ-11196,I renamed the normalizePath() method in FileUtil
class to createFileWithNormalizedPath() and added the normalizeFilePath()
method which deals only with String (in -> out), could be useful later...
Modified:
ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java
Modified: ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java?rev=1866924&r1=1866923&r2=1866924&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java (original)
+++ ofbiz/ofbiz-framework/trunk/applications/product/src/main/java/org/apache/ofbiz/product/imagemanagement/FrameImage.java Sat Sep 14 08:29:45 2019
@@ -291,7 +291,7 @@ public class FrameImage {
String dataResourceId = null;
try {
String dirPath = "/frame/";
- File dir = FileUtil.normalizeFilePath(imageServerPath + dirPath);
+ File dir = FileUtil.createFileWithNormalizedPath(imageServerPath + dirPath);
if (!dir.exists()) {
boolean createDir = dir.mkdir();
if (!createDir) {
@@ -300,7 +300,7 @@ public class FrameImage {
}
}
String imagePath = "/frame/" + imageName;
- File file = FileUtil.normalizeFilePath(imageServerPath + imagePath); // cf. OFBIZ-9973
+ File file = FileUtil.createFileWithNormalizedPath(imageServerPath + imagePath); // cf. OFBIZ-9973
if (file.exists()) {
request.setAttribute("_ERROR_MESSAGE_", "There is an existing frame, please select from the existing frame.");
return "error";
@@ -399,7 +399,7 @@ public class FrameImage {
Debug.logError("File :" + file.getName() + ", couldn't be loaded", module);
}
// Image Frame
- BufferedImage bufImg1 = ImageIO.read(FileUtil.normalizeFilePath(imageServerPath + "/" + productId + "/" + imageName)); // cf. OFBIZ-9973
+ BufferedImage bufImg1 = ImageIO.read(FileUtil.createFileWithNormalizedPath(imageServerPath + "/" + productId + "/" + imageName)); // cf. OFBIZ-9973
BufferedImage bufImg2 = ImageIO.read(new File(imageServerPath + "/frame/" + frameImageName));
int bufImgType;
Modified: ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java
URL:
http://svn.apache.org/viewvc/ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java?rev=1866924&r1=1866923&r2=1866924&view=diff==============================================================================
--- ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java (original)
+++ ofbiz/ofbiz-framework/trunk/framework/base/src/main/java/org/apache/ofbiz/base/util/FileUtil.java Sat Sep 14 08:29:45 2019
@@ -134,7 +134,7 @@ public final class FileUtil {
return null;
}
}
- return new File(root, localizePath(path));
+ return new File(root, normalizePath(localizePath(path)));
}
/**
@@ -497,8 +497,19 @@ public final class FileUtil {
* @param filePath The file path to normalize
* @return A File with a normalized file path
*/
- public static File normalizeFilePath(String filePath) {
+ public static File createFileWithNormalizedPath(String filePath) {
return new File(filePath).toPath().normalize().toFile();
}
+ /**
+ * Normalizes a file path
+ * This useful to prevent path traversal security issues
+ *
+ * @param filePath The file path to normalize
+ * @return A normalized file path
+ */
+ public static String normalizeFilePath(String filePath) {
+ return createFileWithNormalizedPath(filePath).toString();
+ }
+
}
Locked
