From 00f6841dc7f8afa785b92bbca6444326d515357e Mon Sep 17 00:00:00 2001
From: Stian Thorgersen <stianst@gmail.com>
Date: Tue, 1 Sep 2015 13:39:35 +0200
Subject: [PATCH] Fix loading resources from theme

---
 .../main/java/org/keycloak/theme/FolderTheme.java    | 12 ++++++++++--
 1 file changed, 10 insertions(+), 2 deletions(-)

diff --git a/forms/common-themes/src/main/java/org/keycloak/theme/FolderTheme.java b/forms/common-themes/src/main/java/org/keycloak/theme/FolderTheme.java
index 7d9ce2abb8..d1593fe99d 100644
--- a/forms/common-themes/src/main/java/org/keycloak/theme/FolderTheme.java
+++ b/forms/common-themes/src/main/java/org/keycloak/theme/FolderTheme.java
@@ -18,6 +18,7 @@ public class FolderTheme implements Theme {
     private String parentName;
     private String importName;
     private File themeDir;
+    private File resourcesDir;
     private String name;
     private Type type;
     private final Properties properties;
@@ -34,6 +35,8 @@ public class FolderTheme implements Theme {
             parentName = properties.getProperty("parent");
             importName = properties.getProperty("import");
         }
+
+        resourcesDir = new File(themeDir, "resources");
     }
 
     @Override
@@ -73,8 +76,13 @@ public class FolderTheme implements Theme {
         if (File.separatorChar != '/') {
             path = path.replace('/', File.separatorChar);
         }
-        File file = new File(themeDir, "/resources/" + path);
-        return file.isFile() ? file.toURI().toURL() : null;
+
+        File file = new File(resourcesDir, path);
+        if (!file.isFile() || !file.getCanonicalPath().startsWith(resourcesDir.getCanonicalPath())) {
+            return null;
+        } else {
+            return file.toURI().toURL();
+        }
     }
 
     @Override