If baseDir is set, and a database name is given which points to a directory…

If baseDir is set, and a database name is given which points to a directory above (eg. "../dbname"), an exception is thrown.

h2/src/docsrc/html/changelog.html

@@ -23,6 +23,8 @@ Change Log
 </li><li>The functions isBeforeFirst() and isAfterLast() were not compliant to the
     JDBC spec. If the ResultSet contains no rows, they must return false. Fixed.
 </li><li>Filesystem parameters like "split:" didn't work in server mode with baseDir set.
+</li><li>If baseDir is set, and a database name is given which points to a directory above
+    (eg. "../dbname"), an exception is thrown.
 </li></ul>
 
 <h2>Version 1.2.133 (2010-04-10)</h2>

h2/src/main/org/h2/engine/ConnectionInfo.java

@@ -6,6 +6,7 @@
  */
 package org.h2.engine;
 
+import java.io.File;
 import java.util.ArrayList;
 import java.util.Arrays;
 import java.util.HashSet;
@@ -138,6 +139,19 @@ public class ConnectionInfo implements Cloneable {
                 fileSystemPrefix = name.substring(0, colonIndex+1);
                 name = name.substring(colonIndex+1);
             }
+            String testDbFilename;
+            if (name.startsWith("~")) {
+                testDbFilename = System.getProperty("user.home") + SysProperties.FILE_SEPARATOR + name.substring(1);
+            } else {
+                testDbFilename = dir + SysProperties.FILE_SEPARATOR + name;
+            }
+
+            File dbFile = new File(testDbFilename);
+            File baseDirFile = new File(dir);
+            if (!Utils.isInDir(dbFile, baseDirFile)) {
+                throw DbException.get(ErrorCode.IO_EXCEPTION_1, dbFile.getAbsolutePath() + " outside " +
+                        baseDirFile.getAbsolutePath());
+            }
             if (name.startsWith("~")) {
                 name = fileSystemPrefix + name;
             } else {

h2/src/main/org/h2/util/Utils.java

@@ -8,6 +8,7 @@ package org.h2.util;
 
 import java.io.ByteArrayInputStream;
 import java.io.ByteArrayOutputStream;
+import java.io.File;
 import java.io.IOException;
 import java.io.InputStream;
 import java.io.ObjectInputStream;
@@ -530,5 +531,26 @@ public class Utils {
             e.printStackTrace();
         }
     }
+    
+    /**
+     * Checks if a file is below a given directory
+     *
+     * @param file the file to check
+     * @param dir the directory the file must be in
+     * @return true if the file is below the directory
+     */
+    public static boolean isInDir(File file, File dir) {
+        try {
+            String canonicalFilename = file.getCanonicalPath();
+            String canonicalDirname = dir.getCanonicalPath();
+            if (canonicalFilename.equals(canonicalDirname)) {
+                // the file is the dir => not allowed (file "../test" in dir "test")
+                return false;
+            }
+            return canonicalFilename.startsWith(canonicalDirname);
+        } catch (IOException e) {
+            return false;
+        }
+    }
 
 }

h2/src/test/org/h2/test/unit/TestTools.java

@@ -672,7 +672,7 @@ public class TestTools extends TestBase {
         } catch (SQLException e) {
             // ignore
         }
-        // Test filesystem prefix
+        // Test filesystem prefix and escape from baseDir
         deleteDb("testsplit");
         server = Server.createTcpServer(
                         "-baseDir", baseDir,
@@ -680,6 +680,14 @@ public class TestTools extends TestBase {
                         "-tcpAllowOthers").start();
         conn = DriverManager.getConnection("jdbc:h2:tcp://localhost:9192/split:testsplit", "sa", "");
         conn.close();
+        
+        try {
+            conn = DriverManager.getConnection("jdbc:h2:tcp://localhost:9192/../test", "sa", "");
+            fail("Should throw an exception!");
+        } catch (Throwable e) {
+            // Expected
+        }
+        
         server.stop();
         deleteDb("testsplit");
     }