From 3686c3729ceff418fd3cffb701437f816533008e Mon Sep 17 00:00:00 2001
From: seboo <25958061+seboo@users.noreply.github.com>
Date: Tue, 28 Aug 2018 15:50:01 +0200
Subject: [PATCH] LUTECE-2210 : avoid path manipulation

---
 src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java | 6 ++++++
 .../fr/paris/lutece/portal/web/system/SystemJspBean.java    | 3 ++-
 2 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java b/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java
index 5b1f2c1a7..361501393 100644
--- a/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java
+++ b/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java
@@ -45,6 +45,7 @@
 import fr.paris.lutece.portal.web.constants.Messages;
 import fr.paris.lutece.portal.web.constants.Parameters;
 import fr.paris.lutece.util.html.HtmlTemplate;
+import fr.paris.lutece.util.http.SecurityUtil;
 
 import java.io.File;
 
@@ -152,6 +153,11 @@ public String doCreateMode( HttpServletRequest request ) throws AccessDeniedExce
             strPath += File.separator;
         }
 
+        if ( SecurityUtil.containsPathManipulationChars(request, strPath) )
+        {
+            throw new AccessDeniedException( "Invalid path" );
+        }
+
         File dirPath = new File( AppPathService.getPath( PROPERTY_PATH_XSL ) + strPath );
 
         if ( dirPath.exists( ) )
diff --git a/src/java/fr/paris/lutece/portal/web/system/SystemJspBean.java b/src/java/fr/paris/lutece/portal/web/system/SystemJspBean.java
index 8aa3027a9..24a0ea71d 100644
--- a/src/java/fr/paris/lutece/portal/web/system/SystemJspBean.java
+++ b/src/java/fr/paris/lutece/portal/web/system/SystemJspBean.java
@@ -46,6 +46,7 @@
 import fr.paris.lutece.portal.service.util.AppPropertiesService;
 import fr.paris.lutece.portal.web.admin.AdminFeaturesPageJspBean;
 import fr.paris.lutece.util.html.HtmlTemplate;
+import fr.paris.lutece.util.http.SecurityUtil;
 import fr.paris.lutece.util.stream.StreamUtil;
 
 import java.io.File;
@@ -209,7 +210,7 @@ public String getFileView( HttpServletRequest request )
             {
                 String strFilePath = AppPathService.getWebAppPath( );
 
-                if ( strFilePath != null )
+                if ( strFilePath != null && SecurityUtil.containsPathManipulationChars( request, strFile ))
                 {
                     strFileData = getFileData( strFilePath + strDirectory + strFile );
                 }