Uploaded image for project: 'JDK'
  1. JDK
  2. JDK-4514340

java.io.File.getCanonicalPath transforms "..." to ".." (win32)

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: P4 P4
    • 1.4.1
    • 1.4.0
    • core-libs
    • hopper
    • x86
    • windows_2000
    • Verified



      Name: yyT116575 Date: 10/12/2001


      java version "1.4.0-beta2"
      Java(TM) 2 Runtime Environment, Standard Edition (build 1.4.0-beta2-b76)
      Java HotSpot(TM) Client VM (build 1.4.0-beta2-b76, mixed mode)


      The method File.getCanonicalPath sometimes leaves updir (..) patterns
      in paths for illegal input paths. For example, the path "a\...\...\b", when
      canonicalized becomes "C:\a\..\..\b".
       
      Since the path is illegal, the transformation of the "..." sequences to ".."
      allows parent directories to be traversed. The getCanonicalPath method
      can be used to do file security checks, without a SecurityManager. With
      this defect, security can be compromised.

      public class CanonicalTest {
        public static void main(String[] args) throws Exception {
          System.out.println(new File(args[0]).getCanonicalPath());
        }
      }

      C:\>java CanonicalTest a\...\...\b
      C:\a\..\..\b
      (Review ID: 133660)
      ======================================================================

            kkladkosunw Konstantin Kladko (Inactive)
            yyoungsunw Yung-ching Young (Inactive)
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

              Created:
              Updated:
              Resolved:
              Imported:
              Indexed: