Skip to content

Commit

Permalink
XWIKI-19349: Bad handling of classloader templates path resolution
Browse files Browse the repository at this point in the history
  • Loading branch information
tmortagne committed Jan 28, 2022
1 parent 6b54214 commit 4917c8f
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 5 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -142,7 +142,7 @@ private String getSkinResourcePath(String resource)
String skinFolder = getSkinFolder();
String resourcePath = skinFolder + resource;

// Prevent inclusion of templates from other directories
// Prevent access to resources from other directories
Path normalizedResource = Paths.get(resourcePath).normalize();
// Protect against directory attacks.
if (!normalizedResource.startsWith(skinFolder)) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,8 @@
import java.lang.reflect.Type;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.AbstractSet;
import java.util.Arrays;
import java.util.Collections;
Expand Down Expand Up @@ -896,14 +898,23 @@ private EnvironmentTemplate getFileSystemTemplate(String templateName)
: null;
}

private Template getClassloaderTemplate(String suffixPath, String templateName)
private Template getClassloaderTemplate(String prefixPath, String templateName)
{
return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), suffixPath, templateName);
return getClassloaderTemplate(Thread.currentThread().getContextClassLoader(), prefixPath, templateName);
}

private Template getClassloaderTemplate(ClassLoader classloader, String suffixPath, String templateName)
private Template getClassloaderTemplate(ClassLoader classloader, String prefixPath, String templateName)
{
String templatePath = suffixPath + templateName;
String templatePath = prefixPath + templateName;

// Prevent access to resources from other directories
Path normalizedResource = Paths.get(templatePath).normalize();
// Protect against directory attacks.
if (!normalizedResource.startsWith(prefixPath)) {
this.logger.warn("Direct access to skin file [{}] refused. Possible break-in attempt!", normalizedResource);

return null;
}

URL url = classloader.getResource(templatePath);

Expand Down

0 comments on commit 4917c8f

Please sign in to comment.