From ab81fa4c94bf0ae8e344a0a0165193acf6a4c07c Mon Sep 17 00:00:00 2001 From: 0xboobface <0xboobface@gmail.com> Date: Tue, 17 Dec 2019 21:18:29 +0100 Subject: [PATCH] Fix path check bug in HlsServlet and support dir symlinks String.startsWith() comparison for the canonical recording dir did not always check the last component correctly: recordingDir: /path/to/dir request: ../dirOther/filename --- .../main/java/ctbrec/recorder/server/HlsServlet.java | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/server/src/main/java/ctbrec/recorder/server/HlsServlet.java b/server/src/main/java/ctbrec/recorder/server/HlsServlet.java index af04c95b..4abe79e3 100644 --- a/server/src/main/java/ctbrec/recorder/server/HlsServlet.java +++ b/server/src/main/java/ctbrec/recorder/server/HlsServlet.java @@ -4,6 +4,8 @@ import static javax.servlet.http.HttpServletResponse.*; import java.io.File; import java.io.FileInputStream; import java.io.IOException; +import java.nio.file.Path; +import java.nio.file.Paths; import java.security.InvalidKeyException; import java.security.NoSuchAlgorithmException; @@ -30,10 +32,12 @@ public class HlsServlet extends AbstractCtbrecServlet { protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException { String contextPath = getServletContext().getContextPath(); String request = req.getRequestURI().substring(contextPath.length() + 5); - File recordingsDir = new File(config.getSettings().recordingsDir); - File requestedFile = new File(recordingsDir, request); + Path recordingsDirPath = Paths.get(config.getSettings().recordingsDir).toAbsolutePath().normalize(); + Path requestedFilePath = recordingsDirPath.resolve(request).toAbsolutePath().normalize(); - if (requestedFile.getCanonicalPath().startsWith(config.getSettings().recordingsDir)) { + boolean isValidRequestedPath = requestedFilePath.startsWith(recordingsDirPath); + if (isValidRequestedPath) { + File requestedFile = requestedFilePath.toFile(); if (requestedFile.getName().equals("playlist.m3u8")) { try { boolean isRequestAuthenticated = checkAuthentication(req, req.getRequestURI());