From 4b19da6ce94de4865a365c200d6e8169ffb2184f Mon Sep 17 00:00:00 2001
From: Ray Milkey <ray@opennetworking.org>
Date: Sun, 8 Jul 2018 10:06:19 -0700
Subject: [PATCH] Fix for OS-13 - don't allow app pathnames to leave the app
 root

Change-Id: I6bb7be6df8be3dced903f72cef4600532cb118a3
(cherry picked from commit 10e606aab45365b15f2533e0e92d5047ac6a84fe)
---
 .../onosproject/common/app/ApplicationArchive.java   | 12 ++++++++----
 1 file changed, 8 insertions(+), 4 deletions(-)

diff --git a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
index 55c198ed03..339e68e9e5 100644
--- a/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
+++ b/core/common/src/main/java/org/onosproject/common/app/ApplicationArchive.java
@@ -233,13 +233,17 @@ public class ApplicationArchive
         return new String(bytes, 0, Math.min(bytes.length, length), StandardCharsets.UTF_8);
     }
 
+    private String filterAppNameForFilesystem(String name) {
+        return name.replace("/", "^");
+    }
+
     /**
      * Purges the application archive directory.
      *
      * @param appName application name
      */
     public synchronized void purgeApplication(String appName) {
-        File appDir = new File(appsDir, appName);
+        File appDir = new File(appsDir, filterAppNameForFilesystem(appName));
         try {
             Tools.removeDirectory(appDir);
         } catch (IOException e) {
@@ -353,7 +357,7 @@ public class ApplicationArchive
         boolean isSelfContained = false;
         ZipInputStream zis = new ZipInputStream(stream);
         ZipEntry entry;
-        File appDir = new File(appsDir, desc.name());
+        File appDir = new File(appsDir, filterAppNameForFilesystem(desc.name()));
         while ((entry = zis.getNextEntry()) != null) {
             if (!entry.isDirectory()) {
                 byte[] data = ByteStreams.toByteArray(zis);
@@ -437,7 +441,7 @@ public class ApplicationArchive
     private void saveApplication(InputStream stream, ApplicationDescription desc,
                                  boolean isSelfContainedJar)
             throws IOException {
-        String name = desc.name() + (isSelfContainedJar ? JAR : OAR);
+        String name = filterAppNameForFilesystem(desc.name()) + (isSelfContainedJar ? JAR : OAR);
         Files.write(toByteArray(stream), appFile(desc.name(), name));
     }
 
@@ -499,7 +503,7 @@ public class ApplicationArchive
 
     // Returns the name of the file located under the specified app directory.
     private File appFile(String appName, String fileName) {
-        return new File(new File(appsDir, appName), fileName);
+        return new File(new File(appsDir, filterAppNameForFilesystem(appName)), fileName);
     }
 
     // Returns the icon file located under the specified app directory.