LUTECE-2210 : avoid path manipulation

seboo · seboo · commit 43d0ded095f4 · 2018-08-28T15:50:01.000+02:00
diff --git a/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java b/src/java/fr/paris/lutece/portal/web/style/ModesJspBean.java
@@ -45,6 +45,7 @@
 import fr.paris.lutece.portal.web.constants.Messages;
 import fr.paris.lutece.portal.web.constants.Parameters;
 import fr.paris.lutece.util.html.HtmlTemplate;
+import fr.paris.lutece.util.http.SecurityUtil;
 
 import java.io.File;
 
@@ -152,6 +153,11 @@ public String doCreateMode( HttpServletRequest request ) throws AccessDeniedExce
             strPath += File.separator;
         }
 
+        if ( SecurityUtil.containsPathManipulationChars(request, strPath) )
+        {
+            throw new AccessDeniedException( "Invalid path" );
+        }
+
         File dirPath = new File( AppPathService.getPath( PROPERTY_PATH_XSL ) + strPath );
 
         if ( dirPath.exists( ) )
