From 2cf4da6f346b57128724aa893d4f2c8e57e7ed2e Mon Sep 17 00:00:00 2001
From: ruolli <ruolin.li@oracle.com>
Date: Thu, 10 Jun 2021 15:52:22 +0800
Subject: [PATCH] Multiple Path Traversal security issues

---
 .../sun/faces/application/resource/ClasspathResourceHelper.java | 2 +-
 .../com/sun/faces/application/resource/ResourceManager.java     | 2 +-
 .../sun/faces/application/resource/WebappResourceHelper.java    | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java
index b50916e..57a5454 100644
--- a/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java
+++ b/jsf-ri/src/main/java/com/sun/faces/application/resource/ClasspathResourceHelper.java
@@ -376,7 +376,7 @@ public class ClasspathResourceHelper extends ResourceHelper {
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<String>();
                 contracts.add(contractName);
             } else {
diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java
index f904f9d..b714769 100644
--- a/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java
+++ b/jsf-ri/src/main/java/com/sun/faces/application/resource/ResourceManager.java
@@ -374,7 +374,7 @@ public class ResourceManager {
 
     }
     
-    private static boolean nameContainsForbiddenSequence(String name) {
+    static boolean nameContainsForbiddenSequence(String name) {
         boolean result = false;
         if (name != null) {
         name = name.toLowerCase();
diff --git a/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java b/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
index 4ff422a..d420e7b 100644
--- a/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
+++ b/jsf-ri/src/main/java/com/sun/faces/application/resource/WebappResourceHelper.java
@@ -334,7 +334,7 @@ public class WebappResourceHelper extends ResourceHelper {
         } else if (root == null) {
             String contractName = ctx.getExternalContext().getRequestParameterMap()
                   .get("con");
-            if (null != contractName && 0 < contractName.length()) {
+            if (null != contractName && 0 < contractName.length() && !ResourceManager.nameContainsForbiddenSequence(contractName)) {
                 contracts = new ArrayList<String>();
                 contracts.add(contractName);
             } else {
-- 
2.23.0