6687919: REGRESSION : Classloader can handle any resource which is not included in classpath
Reviewed-by: jccollet, alanb
--- a/jdk/src/share/classes/sun/misc/URLClassPath.java Wed Apr 30 11:10:33 2008 -0700
+++ b/jdk/src/share/classes/sun/misc/URLClassPath.java Fri May 02 21:33:59 2008 +0100
@@ -961,6 +961,7 @@
* from a file URL that refers to a directory.
*/
private static class FileLoader extends Loader {
+ /* Canonicalized File */
private File dir;
FileLoader(URL url) throws IOException {
@@ -970,7 +971,7 @@
}
String path = url.getFile().replace('/', File.separatorChar);
path = ParseUtil.decode(path);
- dir = new File(path);
+ dir = (new File(path)).getCanonicalFile();
}
/*
@@ -997,8 +998,19 @@
if (check)
URLClassPath.check(url);
- final File file =
- new File(dir, name.replace('/', File.separatorChar));
+
+ final File file;
+ if (name.indexOf("..") != -1) {
+ file = (new File(dir, name.replace('/', File.separatorChar)))
+ .getCanonicalFile();
+ if ( !((file.getPath()).startsWith(dir.getPath())) ) {
+ /* outside of base dir */
+ return null;
+ }
+ } else {
+ file = new File(dir, name.replace('/', File.separatorChar));
+ }
+
if (file.exists()) {
return new Resource() {
public String getName() { return name; };