mirror of
https://github.com/spring-projects/spring-boot.git
synced 2024-09-03 04:26:12 +08:00
Merge branch '1.5.x' into 2.0.x
This commit is contained in:
commit
bfe65c8a5c
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2012-2018 the original author or authors.
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -117,8 +117,17 @@ class ProjectGenerator {
|
||||
private void extractFromStream(ZipInputStream zipStream, boolean overwrite,
|
||||
File outputFolder) throws IOException {
|
||||
ZipEntry entry = zipStream.getNextEntry();
|
||||
String canonicalOutputPath = outputFolder.getCanonicalPath() + File.separator;
|
||||
while (entry != null) {
|
||||
File file = new File(outputFolder, entry.getName());
|
||||
String canonicalEntryPath = file.getCanonicalPath();
|
||||
if (!canonicalEntryPath.startsWith(canonicalOutputPath)) {
|
||||
throw new ReportableException("Entry '" + entry.getName()
|
||||
+ "' would be written to '" + canonicalEntryPath
|
||||
+ "'. This is outside the output location of '"
|
||||
+ canonicalOutputPath
|
||||
+ "'. Verify your target server configuration.");
|
||||
}
|
||||
if (file.exists() && !overwrite) {
|
||||
throw new ReportableException((file.isDirectory() ? "Directory" : "File")
|
||||
+ " '" + file.getName()
|
||||
|
@ -1,5 +1,5 @@
|
||||
/*
|
||||
* Copyright 2012-2017 the original author or authors.
|
||||
* Copyright 2012-2019 the original author or authors.
|
||||
*
|
||||
* Licensed under the Apache License, Version 2.0 (the "License");
|
||||
* you may not use this file except in compliance with the License.
|
||||
@ -125,6 +125,20 @@ public class InitCommandTests extends AbstractHttpClientMockTests {
|
||||
assertThat(archiveFile).exists();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateProjectAndExtractWillNotWriteEntriesOutsideOutputLocation()
|
||||
throws Exception {
|
||||
File folder = this.temporaryFolder.newFolder();
|
||||
byte[] archive = createFakeZipArchive("../outside.txt", "Fake content");
|
||||
MockHttpProjectGenerationRequest request = new MockHttpProjectGenerationRequest(
|
||||
"application/zip", "demo.zip", archive);
|
||||
mockSuccessfulProjectGeneration(request);
|
||||
assertThat(this.command.run("--extract", folder.getAbsolutePath()))
|
||||
.isEqualTo(ExitStatus.ERROR);
|
||||
File archiveFile = new File(folder.getParentFile(), "outside.txt");
|
||||
assertThat(archiveFile).doesNotExist();
|
||||
}
|
||||
|
||||
@Test
|
||||
public void generateProjectAndExtractWithConvention() throws Exception {
|
||||
File folder = this.temporaryFolder.newFolder();
|
||||
|
Loading…
Reference in New Issue
Block a user