From ba83d1a3704553209d3045cd8cb819219efd6bcc Mon Sep 17 00:00:00 2001 From: Makhtar DIAGNE <makhtar.diagne@teamdlab.com> Date: Tue, 8 Sep 2020 14:36:36 +0200 Subject: [PATCH] [FIX RABB-808] Fix directory traversal security issue on getLogo --- .../fr/gouv/vitamui/ui/commons/service/ApplicationService.java | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/service/ApplicationService.java b/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/service/ApplicationService.java index d1529599..d3a4060c 100644 --- a/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/service/ApplicationService.java +++ b/ui/ui-commons/src/main/java/fr/gouv/vitamui/ui/commons/service/ApplicationService.java @@ -163,7 +163,7 @@ public class ApplicationService extends AbstractCrudService<ApplicationDto> { } public String getBase64File(String fileName, String basePath) { - final Path assetFile = Paths.get(basePath, fileName).normalize(); + final Path assetFile = Paths.get(basePath, Paths.get(fileName).getFileName().toString()); String base64Asset = null; try { base64Asset = DatatypeConverter.printBase64Binary(Files.readAllBytes(assetFile)); -- GitLab