[
https://issues.apache.org/jira/browse/CAMEL-23765?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Work on CAMEL-23765 started by Andrea Cosentino.
------------------------------------------------
> camel-ftp/sftp/mina-sftp/azure-files/smb: contain localWorkDirectory
> downloads within the work directory
> --------------------------------------------------------------------------------------------------------
>
> Key: CAMEL-23765
> URL: https://issues.apache.org/jira/browse/CAMEL-23765
> Project: Camel
> Issue Type: Improvement
> Components: camel-ftp
> Reporter: Andrea Cosentino
> Assignee: Andrea Cosentino
> Priority: Major
> Fix For: 4.14.8, 4.18.3, 4.21.0
>
>
> When localWorkDirectory is enabled, the remote-file consumers build the local
> work file path from the remote file name without ensuring the result stays
> within the configured work directory - unlike the file producer, which jails
> via FileUtil.compactPath + startsWith when jailStartingDirectory=true. This
> proposes adding the same containment check to the localWorkDirectory download
> path in camel-ftp (FTP and SFTP), camel-mina-sftp, camel-azure-files and
> camel-smb, so a remote file name cannot resolve outside the work directory.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
