Multiple Path Traversal security issues

jboss · Mar 2, 2020 · ccc8740 · ccc8740
1 parent 4bb6148
commit ccc8740
Show file tree

Hide file tree

Showing 3 changed files with 5 additions and 3 deletions.
diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java
@@ -379,7 +379,7 @@ private URL findPathConsideringContracts(ClassLoader loader,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java
@@ -375,7 +375,7 @@ private String trimLeadingSlash(String s) {
         }
     }
 
-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
             name = name.toLowerCase();
@@ -591,6 +591,8 @@ private String getLocalePrefix(FacesContext context) {
 
         if(localePrefix != null && !nameContainsForbiddenSequence(localePrefix)){
             return localePrefix;
+        } else {
+            localePrefix = null; 
         }
 
         String appBundleName = context.getApplication().getMessageBundle();

diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
@@ -339,7 +339,7 @@ private String findPathConsideringContracts(LibraryInfo library,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {