boxtec
/
yacy_search_server
mirror of https://github.com/yacy/yacy_search_server
4
1
Fork 0
Code Issues Projects Releases Wiki Activity

*) added protection against CSRF in update download page

Browse Source 
(http://localhost:8090/ConfigUpdate_p.html?releaseinstall=../../test.txt&deleteRelease=Delete+Release
does not work anymore)
pull/1/head
Marc Nause 12 years ago
parent bc00097cbf
commit 3bc5ee6e3d
2 changed files with 24 additions and 0 deletions
Show Stats Download Patch File Download Diff File

7
htroot/ConfigUpdate_p.java
Unescape View File

@ -110,10 +110,17 @@ public class ConfigUpdate_p {
final String release = post.get("releaseinstall", "");
if (!release.isEmpty()) {
try {
// only delete files from RELEASE directory
if (FileUtils.isInDirectory(new File(sb.releasePath, release), sb.releasePath)) {
FileUtils.deletedelete(new File(sb.releasePath, release));
FileUtils.deletedelete(new File(sb.releasePath, release + ".sig"));
} else {
sb.getLog().logSevere("AUTO-UPDATE: could not delete " + release + ": file not in release directory.");
}
} catch (final NullPointerException e) {
sb.getLog().logSevere("AUTO-UPDATE: could not delete release " + release + ": " + e.getMessage());
} catch (final IOException e) {
sb.getLog().logSevere("AUTO-UPDATE: could not delete release " + release + ": " + e.getMessage());
}
}
}

17
source/net/yacy/kelondro/util/FileUtils.java
Unescape View File

@ -851,5 +851,22 @@ public final class FileUtils {
}
}
}
/**
* Checks if a certain file is in a given directory.
* @param file the file to check
* @param directory the directory which must contain the file
* @return true if file is contained in diretory
*/
public static boolean isInDirectory(final File file, final File directory) throws IOException {
return
directory != null
&& directory.isDirectory()
&& file != null
&& file.isFile()
&& directory.getCanonicalPath().equalsIgnoreCase(
file.getParentFile().getCanonicalPath());
}
}

Write Preview
Loading…
Cancel
Save