From 3bc5ee6e3d0d707c477521b27ca4f85633aa5179 Mon Sep 17 00:00:00 2001
From: Marc Nause <marc.nause@audioattack.de>
Date: Mon, 4 Feb 2013 19:57:28 +0100
Subject: [PATCH] *) added protection against CSRF in update download page
 (http://localhost:8090/ConfigUpdate_p.html?releaseinstall=../../test.txt&deleteRelease=Delete+Release
 does not work anymore)

---
 htroot/ConfigUpdate_p.java                   |  7 +++++++
 source/net/yacy/kelondro/util/FileUtils.java | 17 +++++++++++++++++
 2 files changed, 24 insertions(+)

diff --git a/htroot/ConfigUpdate_p.java b/htroot/ConfigUpdate_p.java
index be5481449..4e0ca6db7 100644
--- a/htroot/ConfigUpdate_p.java
+++ b/htroot/ConfigUpdate_p.java
@@ -110,10 +110,17 @@ public class ConfigUpdate_p {
                 final String release = post.get("releaseinstall", "");
                 if (!release.isEmpty()) {
                     try {
+                        // only delete files from RELEASE directory
+                        if (FileUtils.isInDirectory(new File(sb.releasePath, release), sb.releasePath)) {
                         FileUtils.deletedelete(new File(sb.releasePath, release));
                         FileUtils.deletedelete(new File(sb.releasePath, release + ".sig"));
+                        } else {
+                            sb.getLog().logSevere("AUTO-UPDATE: could not delete " + release + ": file not in release directory.");
+                        }
                     } catch (final NullPointerException e) {
                         sb.getLog().logSevere("AUTO-UPDATE: could not delete release " + release + ": " + e.getMessage());
+                    } catch (final IOException e) {
+                        sb.getLog().logSevere("AUTO-UPDATE: could not delete release " + release + ": " + e.getMessage());
                     }
                 }
             }
diff --git a/source/net/yacy/kelondro/util/FileUtils.java b/source/net/yacy/kelondro/util/FileUtils.java
index 2e631466a..cf773f33e 100644
--- a/source/net/yacy/kelondro/util/FileUtils.java
+++ b/source/net/yacy/kelondro/util/FileUtils.java
@@ -851,5 +851,22 @@ public final class FileUtils {
             }
         }
     }
+    
+    /**
+     * Checks if a certain file is in a given directory.
+     * @param file the file to check
+     * @param directory the directory which must contain the file
+     * @return true if file is contained in diretory
+     */
+    public static boolean isInDirectory(final File file, final File directory) throws IOException {
+        
+        return 
+                directory != null
+                && directory.isDirectory()
+                && file != null
+                && file.isFile()
+                && directory.getCanonicalPath().equalsIgnoreCase(
+                        file.getParentFile().getCanonicalPath());
+    }
 
 }