From 3f7901931c9d152c331a84af1492c37077df4dbb Mon Sep 17 00:00:00 2001 From: chegar Date: Fri, 2 May 2008 21:33:59 +0100 Subject: [PATCH] 6687919: REGRESSION : Classloader can handle any resource which is not included in classpath Reviewed-by: jccollet, alanb --- .../share/classes/sun/misc/URLClassPath.java | 18 +++++++++++++++--- 1 file changed, 15 insertions(+), 3 deletions(-) diff --git a/jdk/src/share/classes/sun/misc/URLClassPath.java b/jdk/src/share/classes/sun/misc/URLClassPath.java index b3bd6d38a9..ebc30408b7 100644 --- a/jdk/src/share/classes/sun/misc/URLClassPath.java +++ b/jdk/src/share/classes/sun/misc/URLClassPath.java @@ -961,6 +961,7 @@ public class URLClassPath { * from a file URL that refers to a directory. */ private static class FileLoader extends Loader { + /* Canonicalized File */ private File dir; FileLoader(URL url) throws IOException { @@ -970,7 +971,7 @@ public class URLClassPath { } String path = url.getFile().replace('/', File.separatorChar); path = ParseUtil.decode(path); - dir = new File(path); + dir = (new File(path)).getCanonicalFile(); } /* @@ -997,8 +998,19 @@ public class URLClassPath { if (check) URLClassPath.check(url); - final File file = - new File(dir, name.replace('/', File.separatorChar)); + + final File file; + if (name.indexOf("..") != -1) { + file = (new File(dir, name.replace('/', File.separatorChar))) + .getCanonicalFile(); + if ( !((file.getPath()).startsWith(dir.getPath())) ) { + /* outside of base dir */ + return null; + } + } else { + file = new File(dir, name.replace('/', File.separatorChar)); + } + if (file.exists()) { return new Resource() { public String getName() { return name; }; -- GitLab