Mercurial
bsd-port/bsd-port/jdk / changeset
summary | shortlog | changelog | tags | manifest | changeset | raw | bz2 | zip | gz
Add missing portion of the correction for directory transversal
authorkurt
Tue May 12 09:21:31 2009 -0400 (10 months ago)
changeset 938968ae4f2d402
parent 937940223097cb1
child 939f3b9ef693316
Add missing portion of the correction for directory transversal
problem described in CVE-2005-1080. Reported by S.P.Zeidler
on bsd-port-dev list.
src/share/classes/sun/tools/jar/Main.javafile | annotate | diff | revisions
--- a/src/share/classes/sun/tools/jar/Main.java	Tue Mar 10 09:04:32 2009 -0700

+++ b/src/share/classes/sun/tools/jar/Main.java	Tue May 12 09:21:31 2009 -0400

@@ -845,6 +845,19 @@ class Main {

      * Extracts specified entries from JAR file, via ZipFile.

      */

     void extract(String fname, String files[]) throws IOException {

+        // Current working directory

+

+        cwd = System.getProperty("user.dir");

+        if (cwd == null) {

+             fatalError(getMsg("error.no.cwd"));

+        }

+        cwd = (new File(cwd)).getCanonicalPath();

+        if (!cwd.endsWith(File.separator)) {

+            cwd += File.separator;

+        }

+

+        // Extract the files

+

         ZipFile zf = new ZipFile(fname);

         Set<ZipEntry> dirs = newDirSet();

         Enumeration<? extends ZipEntry> zes = zf.entries();
bsd-port/bsd-port/jdk