Merge pull request #62 from rmartinc:JBEAP-18842

[JBEAP-18842] Multiple Path Traversal security issues
jboss · Apr 30, 2020 · e2d3e41 · e2d3e41
2 parents d88b8d9 + ccc8740
commit e2d3e41
Show file tree

Hide file tree

Showing 3 changed files with 6 additions and 4 deletions.
diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java
@@ -379,7 +379,7 @@ private URL findPathConsideringContracts(ClassLoader loader,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {

diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java
@@ -375,7 +375,7 @@ private String trimLeadingSlash(String s) {
         }
     }
 
-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
             name = name.toLowerCase();
@@ -589,8 +589,10 @@ private String getLocalePrefix(FacesContext context) {
 
         localePrefix = context.getExternalContext().getRequestParameterMap().get("loc");
 
-        if(localePrefix != null){
+        if(localePrefix != null && !nameContainsForbiddenSequence(localePrefix)){
             return localePrefix;
+        } else {
+            localePrefix = null; 
         }
 
         String appBundleName = context.getApplication().getMessageBundle();

diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
@@ -339,7 +339,7 @@ private String findPathConsideringContracts(LibraryInfo library,
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<>();
                 contracts.add(contractName);
             } else {