KEYCLOAK-15012 Fix issue with folder theme provider

2020-09-09 21:25:08 +02:00 · 2020-09-09 21:25:08 +02:00 · 1281f28bb8
commit 1281f28bb8
parent 2df62369c3
2 changed files with 10 additions and 2 deletions
--- a/services/src/main/java/org/keycloak/theme/FolderTheme.java
+++ b/services/src/main/java/org/keycloak/theme/FolderTheme.java
@ -93,7 +93,7 @@ public class FolderTheme implements Theme {
        }

        File file = new File(resourcesDir, path);
-        if (!file.isFile() || !file.getCanonicalPath().startsWith(resourcesDir.getCanonicalPath())) {
+        if (!file.isFile() || !file.getCanonicalPath().startsWith(resourcesDir.getCanonicalPath() + File.separator)) {
            return null;
        } else {
            return file.toURI().toURL().openStream();
--- a/services/src/main/java/org/keycloak/theme/FolderThemeProvider.java
+++ b/services/src/main/java/org/keycloak/theme/FolderThemeProvider.java
@ -84,7 +84,15 @@ public class FolderThemeProvider implements ThemeProvider {
    }

    private File getThemeDir(String name, Theme.Type type) {
-        return new File(themesDir, name + File.separator + type.name().toLowerCase());
+        File f = new File(themesDir, name + File.separator + type.name().toLowerCase());
+        try {
+            if (!f.getCanonicalPath().startsWith(themesDir.getCanonicalPath() + File.separator)) {
+                return null;
+            }
+        } catch (IOException e) {
+            return null;
+        }
+        return f;
    }

 }