Artifact/workspace browser was unable to serve directories/files that contains ".." in them.

(<a href="http://www.nabble.com/Status-Code-400-viewing-or-downloading-artifact-whose-filename-contains-two-consecutive-periods-tt21407604.html">report</a>) This was due to a security check. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14408 71c3de6d-444a-0410-be80-ed276b4c234a

Artifact/workspace browser was unable to serve directories/files that contains ".." in them.
(<a href="http://www.nabble.com/Status-Code-400-viewing-or-downloading-artifact-whose-filename-contains-two-consecutive-periods-tt21407604.html">report</a>) This was due to a security check. git-svn-id: https://hudson.dev.java.net/svn/hudson/trunk/hudson/main@14408 71c3de6d-444a-0410-be80-ed276b4c234a
e1153d51 · kohsuke · 9bd02f91 · e1153d51 · e1153d51 · e1153d51
3 changed file
--- a/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
+++ b/core/src/main/java/hudson/model/DirectoryBrowserSupport.java
@@ -79,8 +79,8 @@ public final class DirectoryBrowserSupport {
            return;
        }

-        String path = getPath(req);
-        if(path.indexOf("..")!=-1) {
+        String path = getPath(req).replace('\\','/');
+        if(path.indexOf("/../")!=-1) {
            // don't serve anything other than files in the artifacts dir
            rsp.sendError(HttpServletResponse.SC_BAD_REQUEST);
            return;

--- a/test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
+++ b/test/src/main/java/org/jvnet/hudson/test/HudsonTestCase.java
@@ -583,7 +583,12 @@ public abstract class HudsonTestCase extends TestCase {
         *      For example, "job/test/" to go to a job top page.
         */
        public HtmlPage goTo(String relative) throws IOException, SAXException {
-            return (HtmlPage)goTo(relative, "text/html");
+            Page p = goTo(relative, "text/html");
+            if (p instanceof HtmlPage) {
+                return (HtmlPage) p;
+            } else {
+                throw new AssertionError("Expected text/html but instead the content type was "+p.getWebResponse().getContentType());
+            }
        }

        public Page goTo(String relative, String expectedContentType) throws IOException, SAXException {

--- a/test/src/test/java/hudson/model/DirectoryBrowserSupportTest.java
+++ b/test/src/test/java/hudson/model/DirectoryBrowserSupportTest.java
+package hudson.model;
+
+import hudson.tasks.Shell;
+import org.jvnet.hudson.test.Email;
+import org.jvnet.hudson.test.HudsonTestCase;
+
+/**
+ * @author Kohsuke Kawaguchi
+ */
+public class DirectoryBrowserSupportTest extends HudsonTestCase {
+    @Email("http://www.nabble.com/Status-Code-400-viewing-or-downloading-artifact-whose-filename-contains-two-consecutive-periods-tt21407604.html")
+    public void testDoubleDots() throws Exception {
+        // create a problematic file name in the workspace
+        FreeStyleProject p = createFreeStyleProject();
+        p.getBuildersList().add(new Shell("touch abc..def"));
+        p.scheduleBuild2(0).get();
+
+        // can we see it?
+        new WebClient().goTo("job/"+p.getName()+"/ws/abc..def","application/octet-stream");
+
+        // TODO: implement negative check to make sure we aren't serving unexpected directories.
+        // the following trivial attempt failed. Someone in between is normalizing.
+//        // but this should fail
+//        try {
+//            new WebClient().goTo("job/" + p.getName() + "/ws/abc/../", "application/octet-stream");
+//        } catch (FailingHttpStatusCodeException e) {
+//            assertEquals(400,e.getStatusCode());
+//        }
+    }
+}