[KARAF-7326] Fix potential partial path traversal - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Resolved
Priority: Major
Resolution: Fixed
Affects Version/s: None
Fix Version/s: 4.4.0, 4.3.6, 4.2.15
Component/s: karaf
Labels:
None

Target Version/s:

4.4.0, 4.3.6, 4.2.15

Description

In couple of Karaf code, `getCanonicalPath` transforms the path into a canonical form preventing such attack types as `..` in path segments. If the result of `targetDir.getCanonicalPath()` is not slash terminated it allows for partial path traversal.

Consider `"/usr/outnot".startsWith("/usr/out")`. The check is bypassed although it is not the `out` directory.

The terminating slash may be removed in various places. On Linux `println(new File("/var/"))` returns `/var`, but `println(new File("/var", "/"))` - `/var/`, however `println(new File("/var", "/").getCanonicalPath())` - `/var`.

Attachments

Activity

People

Assignee:: Jean-Baptiste Onofré

Reporter:: Jean-Baptiste Onofré

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 09/Jan/22 18:03

Updated:: 10/Jan/22 08:20

Resolved:: 10/Jan/22 08:20