Mercurial > hg > shenandoah-preopenjdk-archive > openjdk8 > jdk

changeset 273:61a7e1919ba3

Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Merge
author wetmore
date Sun, 11 May 2008 00:26:16 -0700
parents 9781e5c7b9ba (current diff) d95a6a4ea502 (diff)
children 2bf15b903bec ca48d7cc3579 2ebefcea77a5
files
diffstat 1 files changed, 15 insertions(+), 3 deletions(-) [+]
line wrap: on
line diff
--- a/src/share/classes/sun/misc/URLClassPath.java	Sat May 10 12:14:53 2008 -0700
+++ b/src/share/classes/sun/misc/URLClassPath.java	Sun May 11 00:26:16 2008 -0700
@@ -961,6 +961,7 @@
      * from a file URL that refers to a directory.
      */
     private static class FileLoader extends Loader {
+        /* Canonicalized File */
         private File dir;
 
         FileLoader(URL url) throws IOException {
@@ -970,7 +971,7 @@
             }
             String path = url.getFile().replace('/', File.separatorChar);
             path = ParseUtil.decode(path);
-            dir = new File(path);
+            dir = (new File(path)).getCanonicalFile();
         }
 
         /*
@@ -997,8 +998,19 @@
 
                 if (check)
                     URLClassPath.check(url);
-                final File file =
-                    new File(dir, name.replace('/', File.separatorChar));
+
+                final File file;
+                if (name.indexOf("..") != -1) {
+                    file = (new File(dir, name.replace('/', File.separatorChar)))
+                          .getCanonicalFile();
+                    if ( !((file.getPath()).startsWith(dir.getPath())) ) {
+                        /* outside of base dir */
+                        return null;
+                    }
+                } else {
+                    file = new File(dir, name.replace('/', File.separatorChar));
+                }
+
                 if (file.exists()) {
                     return new Resource() {
                         public String getName() { return name; };