PAYARA-953 detect null bytes (payara#1011)

flowlogix · Jul 5, 2017 · b23ed4b · b23ed4b
1 parent cd4887d
commit b23ed4b
Showing 1 changed file with 19 additions and 1 deletion.
diff --git a/appserver/web/web-core/src/main/java/org/apache/catalina/fileupload/PartItem.java b/appserver/web/web-core/src/main/java/org/apache/catalina/fileupload/PartItem.java
@@ -56,7 +56,7 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
+// Portions Copyright [2016] [C2B2 Consulting Limited and/or its affiliates]
 package org.apache.catalina.fileupload;
 
 import org.apache.catalina.Globals;
@@ -739,6 +739,24 @@ private void readObject(ObjectInputStream in)
             throws IOException, ClassNotFoundException {
         // read values
         in.defaultReadObject();
+
+        // PAYARA-953 protect against null byte attacks 
+        if (repository != null) {
+            if (repository.getPath().contains("\0")) {
+                throw new IOException("Repository path cannot contain a null byte");
+            }
+
+            if (!repository.isDirectory()) {
+                throw new IOException("Repository path " + repository.getPath() + " is not a directory ");
+            }
+        }
+
+        if (dfosFile != null) {
+            if (dfosFile.getPath().contains("\0")) {
+                throw new IOException("File path cannot contain a null byte");
+            }
+        }
+        // END PAYARA-953
 
         OutputStream output = getOutputStream();
         if (cachedContent != null) {