Bug 320546 - FileLocator.find() can find files outside of the bundle
Summary: FileLocator.find() can find files outside of the bundle
Status: RESOLVED FIXED
Alias: None
Product: Equinox
Classification: Eclipse Project
Component: Framework (show other bugs)
Version: 3.6   Edit
Hardware: PC Windows XP
: P3 normal (vote)
Target Milestone: 3.7 M1   Edit
Assignee: Thomas Watson CLA
QA Contact:
URL:
Whiteboard:
Keywords:
: 418266 (view as bug list)
Depends on:
Blocks:
 
Reported: 2010-07-21 15:23 EDT by Chris Goldthorpe CLA
Modified: 2013-09-30 09:01 EDT (History)
5 users (show)

See Also:

Attachments
Test case (6.11 KB, application/octet-stream)
2010-07-21 15:28 EDT, Chris Goldthorpe CLA 		no flags Details
patch + test (11.21 KB, patch)
2010-07-22 16:33 EDT, Thomas Watson CLA 		no flags Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Chris Goldthorpe CLA 2010-07-21 15:23:46 EDT 
This was discovered while investigating Bug 223539.

If a bundle is not jarred the line below

URL url = FileLocator.find(bundle, new Path("../file.txt"), null);	

can be used to access a file outside of the bundle, and any file on the system could potentially be accessed this way. There does not seem to be any reason to allow this as only bad things can happen if the FileLocator is used to read files outside the bundle.
Comment 1 Chris Goldthorpe CLA 2010-07-21 15:28:57 EDT 
Created attachment 174902 [details]
Test case

To reproduce:

Unzip the attachment in a temporary directory.
Create a text file file.txt in the directory which contains the bundle.
File/Import/Existing Project 
Launch Eclipse

File Locate Menu/File Locate Test

A messagebox opens showing the contents of file.txt, which was located using FileLocator.find()
Comment 2 Thomas Watson CLA 2010-07-22 14:25:47 EDT 
It turns out that Bundle.getEntry can leak out URLs that point to resources are outside of a directory bundle's top level directory.  I will look at fixing this.
Comment 3 Thomas Watson CLA 2010-07-22 16:33:47 EDT 
Created attachment 175023 [details]
patch + test

There were four methods on DirBundleFile that allowed you to access or get information on files outside of the directory bundle file itself.  This patch does some extra checks if folks are trying ".." paths to access bundle content from a directory bundle.

I was tempted to always fail to find resources if the path contained any ".."s since this is not supported for jar'ed bundles.  But this patch is a more conservative behavior change.  It only fails to find files if they end up being outside of the bundle's content.
Comment 4 Thomas Watson CLA 2010-07-22 16:36:38 EDT 
patch released.
Comment 5 Thomas Watson CLA 2013-09-30 09:01:18 EDT 
*** Bug 418266 has been marked as a duplicate of this bug. ***