diff --git a/src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java b/src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java
index f04d8af64dd..4f9b4e427bc 100644
--- a/src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java
+++ b/src/jdk.zipfs/share/classes/jdk/nio/zipfs/ZipFileSystem.java
@@ -1575,6 +1575,10 @@ class ZipFileSystem extends FileSystem {
throw new ZipException("invalid CEN header (bad header size)");
}
IndexNode inode = new IndexNode(cen, pos, nlen);
+ if (hasDotOrDotDot(inode.name)) {
+ throw new ZipException("ZIP file can't be opened as a file system " +
+ "because an entry has a '.' or '..' element in its name");
+ }
inodes.put(inode, inode);
if (zc.isUTF8() || (flag & FLAG_USE_UTF8) != 0) {
checkUTF8(inode.name);
@@ -1591,6 +1595,44 @@ class ZipFileSystem extends FileSystem {
return cen;
}
+ /**
+ * Check Inode.name to see if it includes a "." or ".." in the name array
+ * @param path the path as stored in Inode.name to verify
+ * @return true if the path contains a "." or ".." entry; false otherwise
+ */
+ private boolean hasDotOrDotDot(byte[] path) {
+ // Inode.name always includes "/" in path[0]
+ assert path[0] == '/';
+ if (path.length == 1) {
+ return false;
+ }
+ int index = 1;
+ while (index < path.length) {
+ int starting = index;
+ while (index < path.length && path[index] != '/') {
+ index++;
+ }
+ // Check the path snippet for a "." or ".."
+ if (isDotOrDotDotPath(path, starting, index)) {
+ return true;
+ }
+ index++;
+ }
+ return false;
+ }
+
+ /**
+ * Check the path to see if it includes a "." or ".."
+ * @param path the path to check
+ * @return true if the path contains a "." or ".." entry; false otherwise
+ */
+ private boolean isDotOrDotDotPath(byte[] path, int start, int index) {
+ int pathLen = index - start;
+ if ((pathLen == 1 && path[start] == '.'))
+ return true;
+ return (pathLen == 2 && path[start] == '.') && path[start + 1] == '.';
+ }
+
private final void checkUTF8(byte[] a) throws ZipException {
try {
int end = a.length;
diff --git a/src/jdk.zipfs/share/classes/module-info.java b/src/jdk.zipfs/share/classes/module-info.java
index dcb2545b74a..da1559be28d 100644
--- a/src/jdk.zipfs/share/classes/module-info.java
+++ b/src/jdk.zipfs/share/classes/module-info.java
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2014, 2019, Oracle and/or its affiliates. All rights reserved.
+ * Copyright (c) 2014, 2021, Oracle and/or its affiliates. All rights reserved.
* DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
*
* This code is free software; you can redistribute it and/or modify it
@@ -45,6 +45,9 @@ import java.util.Set;
*
Open an existing file as a Zip file system
*
*
+ * The Zip file system provider does not support opening an existing Zip file
+ * that contains entries with "." or ".." in its name elements.
+ *
* URI Scheme Used to Identify the Zip File System
*
* The URI {@link java.net.URI#getScheme scheme} that identifies the ZIP file system is {@code jar}.
diff --git a/test/jdk/jdk/nio/zipfs/HasDotDotTest.java b/test/jdk/jdk/nio/zipfs/HasDotDotTest.java
new file mode 100644
index 00000000000..6c6111dd0ab
--- /dev/null
+++ b/test/jdk/jdk/nio/zipfs/HasDotDotTest.java
@@ -0,0 +1,155 @@
+/*
+ * Copyright (c) 2021, Oracle and/or its affiliates. All rights reserved.
+ * DO NOT ALTER OR REMOVE COPYRIGHT NOTICES OR THIS FILE HEADER.
+ *
+ * This code is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License version 2 only, as
+ * published by the Free Software Foundation.
+ *
+ * This code is distributed in the hope that it will be useful, but WITHOUT
+ * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or
+ * FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * version 2 for more details (a copy is included in the LICENSE file that
+ * accompanied this code).
+ *
+ * You should have received a copy of the GNU General Public License version
+ * 2 along with this work; if not, write to the Free Software Foundation,
+ * Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
+ *
+ * Please contact Oracle, 500 Oracle Parkway, Redwood Shores, CA 94065 USA
+ * or visit www.oracle.com if you need additional information or have any
+ * questions.
+ *
+ */
+import org.testng.annotations.DataProvider;
+import org.testng.annotations.Test;
+
+import java.io.IOException;
+import java.nio.charset.StandardCharsets;
+import java.nio.file.FileSystem;
+import java.nio.file.FileSystems;
+import java.nio.file.Files;
+import java.nio.file.Path;
+import java.util.Arrays;
+import java.util.Map;
+import java.util.stream.Stream;
+import java.util.zip.CRC32;
+import java.util.zip.ZipEntry;
+import java.util.zip.ZipOutputStream;
+
+import static org.testng.Assert.assertThrows;
+import static org.testng.Assert.assertTrue;
+/**
+ * @test
+ * @bug 8251329
+ * @summary Excercise Zip FS with "." or ".." in a Zip Entry name
+ * @modules jdk.zipfs
+ * @run testng/othervm HasDotDotTest
+ */
+public class HasDotDotTest {
+ // Zip file to be created
+ private static final Path ZIPFILE = Path.of("zipfsDotDotTest.zip");
+ // Data for Zip entries
+ private static final byte[] ENTRY_DATA =
+ "Tennis Anyone".getBytes(StandardCharsets.UTF_8);
+ // Display output
+ private static final boolean DEBUG = false;
+
+ /**
+ * DataProvider containing Zip entry names which should result in an IOException
+ * @return Array of Zip entry names
+ */
+ @DataProvider
+ private Object[][] checkForDotOrDotDotPaths() {
+ return new Object[][]{
+ {"/./foo"},
+ {"/../foo"},
+ {"/../foo/.."},
+ {"/foo/.."},
+ {"/foo/."},
+ {"/.."},
+ {"/."},
+ {"/.foo/./"},
+ {"/.././"},
+ };
+ }
+
+ // Zip entry names to create a Zip file with for validating they are not
+ // interpreted as a "." or ".." entry
+ private final String[] VALID_PATHS =
+ {"/foo.txt", "/..foo.txt", "/.foo.txt", "/.foo/bar.txt", "/foo/bar.txt"};
+ // Paths to be returned from Files::walk via Zip FS
+ private final String[] EXPECTED_PATHS =
+ {"/", "/..foo.txt", "/foo.txt", "/.foo.txt", "/.foo",
+ "/.foo/bar.txt", "/foo/bar.txt", "/foo"};
+
+ /**
+ * Creates a Zip file
+ * @param zip path for Zip to be created
+ * @param entries the entries to add to the Zip file
+ * @throws IOException if an error occurs
+ */
+ private static void createZip(Path zip, String... entries) throws IOException {
+ try (var os = Files.newOutputStream(zip);
+ ZipOutputStream zos = new ZipOutputStream(os)) {
+ for (var e : entries) {
+ var ze = new ZipEntry(e);
+ var crc = new CRC32();
+ ze.setMethod(ZipEntry.STORED);
+ crc.update(ENTRY_DATA);
+ ze.setCrc(crc.getValue());
+ ze.setSize(ENTRY_DATA.length);
+ zos.putNextEntry(ze);
+ zos.write(ENTRY_DATA);
+ }
+ }
+ }
+
+ /**
+ * Test to validate an IOException is thrown when opening a Zip file using
+ * Zip FS and the path contains a "." or ".."
+ * @param path
+ * @throws IOException
+ */
+ @Test(dataProvider = "checkForDotOrDotDotPaths")
+ public void hasDotOrDotDotTest(String path) throws IOException {
+ if (DEBUG) {
+ System.out.printf("Validating entry: %s%n", path);
+ }
+ Files.deleteIfExists(ZIPFILE);
+ createZip(ZIPFILE, path);
+ assertThrows(IOException.class, () ->
+ FileSystems.newFileSystem(ZIPFILE, Map.of()));
+ Files.deleteIfExists(ZIPFILE);
+ }
+
+ /**
+ * Validate that an entry with a name containing a "." or ".." can be
+ * accessed via Files::walk
+ * @throws IOException if an error occurs
+ */
+ @Test
+ public void validPaths() throws IOException {
+ Files.deleteIfExists(ZIPFILE);
+ createZip(ZIPFILE, VALID_PATHS);
+ /*
+ Walk through the Zip file and collect the Zip FS entries
+ */
+ try (FileSystem zipfs = FileSystems.newFileSystem(ZIPFILE)) {
+ Path zipRoot = zipfs.getPath("/");
+ try (Stream files = Files.walk(zipRoot, Integer.MAX_VALUE)) {
+ var entries = files.map(Path::toString)
+ .sorted()
+ .toArray(String[]::new);
+ if (DEBUG) {
+ for (String zipEntry : entries) {
+ System.out.println(zipEntry);
+ }
+ }
+ Arrays.sort(EXPECTED_PATHS);
+ assertTrue(Arrays.equals(entries, EXPECTED_PATHS));
+ }
+ }
+ Files.deleteIfExists(ZIPFILE);
+ }
+}