added filename blacklist

Author: FreakyBytes

src/main/java/de/unirostock/sems/cbarchive/web/Fields.java

@@ -18,6 +18,10 @@
 */
 
 import java.io.File;
+import java.util.Arrays;
+import java.util.Collections;
+import java.util.HashSet;
+import java.util.Set;
 
 import javax.servlet.ServletContext;
 
@@ -40,6 +44,11 @@ public class Fields {
 	public static File STORAGE = new File ("/tmp/CombineArchiveWebStorage");
 
 	public static File SETTINGS_FILE = new File( STORAGE, SETTINGS_FILE_NAME );
+	
+	/** Blacklist of file names */
+	public static final Set<String> FILENAME_BLACKLIST = Collections.unmodifiableSet(
+			new HashSet<String>( Arrays.asList( new String[] {"metadata.rdf", "manifest.xml"} ) )
+		);
 
 	/** The Constant COOKIE_AGE. */
 	public static final int COOKIE_AGE = 60*60*24*365;

src/main/java/de/unirostock/sems/cbarchive/web/Tools.java

@@ -34,6 +34,8 @@
 import javax.servlet.http.Part;
 import javax.xml.bind.DatatypeConverter;
 
+import org.apache.commons.io.FilenameUtils;
+
 import com.fasterxml.jackson.core.JsonProcessingException;
 
 import de.binfalse.bflog.LOGGER;
@@ -258,4 +260,21 @@ public static URI generateWorkspaceRedirectUri( HttpServletRequest requestContex
 
 		return newLocation;
 	}
+	
+	/**
+	 * checks whether a filename is blacklisted or not
+	 * 
+	 * @param filename
+	 * @return true if filename is blacklisted
+	 */
+	public static boolean isFilenameBlacklisted( String filename ) {
+		
+		if( filename == null || filename.isEmpty() )
+			return true;
+		
+		if( Fields.FILENAME_BLACKLIST.contains( FilenameUtils.getName(filename) ) ) 
+			return true;
+		
+		return false;
+	}
 }

src/main/java/de/unirostock/sems/cbarchive/web/UserManager.java

@@ -305,8 +305,13 @@ public void deleteArchiveSilent( String archiveId ) {
 	}
 
 	public void updateArchiveEntry( String archiveId, ArchiveEntryDataholder newEntryDataholder ) throws CombineArchiveWebException {
+		Archive archive = null;
+		
+		if( Tools.isFilenameBlacklisted(newEntryDataholder.getFileName()) || Tools.isFilenameBlacklisted(newEntryDataholder.getFilePath()) )
+			throw new CombineArchiveWebException( 
+					MessageFormat.format("The filename is blacklisted. You may not add files called {0}!", newEntryDataholder.getFileName())
+				);
 
-		Archive archive;
 		try {
 			archive = getArchive(archiveId);
 		} catch (FileNotFoundException e) {

src/main/java/de/unirostock/sems/cbarchive/web/dataholder/Archive.java

@@ -33,6 +33,7 @@
 import javax.xml.bind.annotation.XmlAccessorType;
 import javax.xml.transform.TransformerException;
 
+import org.apache.commons.io.FilenameUtils;
 import org.jdom2.JDOMException;
 
 import com.fasterxml.jackson.annotation.JsonIgnore;
@@ -46,6 +47,7 @@
 import de.unirostock.sems.cbarchive.ArchiveEntry;
 import de.unirostock.sems.cbarchive.CombineArchive;
 import de.unirostock.sems.cbarchive.CombineArchiveException;
+import de.unirostock.sems.cbarchive.web.Tools;
 import de.unirostock.sems.cbarchive.web.exception.CombineArchiveWebException;
 import de.unirostock.sems.cbext.Formatizer;
 
@@ -242,6 +244,12 @@ public ArchiveEntry addArchiveEntry(String fileName, Path file, ReplaceStrategy
 			throw new CombineArchiveWebException("The archive was not opened");
 		}
 
+		// check for blacklisted filename
+		if( Tools.isFilenameBlacklisted(fileName) )
+			throw new CombineArchiveWebException( 
+					MessageFormat.format("The filename is blacklisted. You may not add files called {0}!", FilenameUtils.getName(fileName))
+				);
+		
 		ArchiveEntry entry = null;
 
 		if( strategy == ReplaceStrategy.RENAME || strategy == ReplaceStrategy.OVERRIDE ) {