diff --git a/app/src/main/java/com/yizhuan/erban/ui/pay/BillingManager.java b/app/src/main/java/com/yizhuan/erban/ui/pay/BillingManager.java index d64596ba3..84ff37046 100644 --- a/app/src/main/java/com/yizhuan/erban/ui/pay/BillingManager.java +++ b/app/src/main/java/com/yizhuan/erban/ui/pay/BillingManager.java @@ -38,7 +38,7 @@ public class BillingManager implements PurchasesUpdatedListener { private static final String TAG = "BillingManager"; /*购买key*/ - private static final String BASE_64_ENCODED_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAs1/xs5aYKXp5iWlhuM763hAaNt3GneWBf2I4DjM2vTf43UWs1wgAnTpMIgoI80epnVPvdqbInu9fPMU7dp8d2XmjOF0GKydvnwUN0BpWKtg0kAcMCd7TW2s+FoZRmii2RkX2VGYMxLsCaN4P++DcpXQ8v8UyfvMNcLiVBeERM8+/FYfB94cA6OEoILb1bYwn4pGb7UlY7h11Zu0Hzmp2g209rfAmVRtO4SnEbvTicQI2l3mC6ggZi3pz5ffZxkWY7D3Y+NPgNogL/ZVZd8S8tt7lwpnmuF9s3fKcj3c6zun+B599YYxDVmZR688f5a43jc81/BHQwWKuMVCyCIPIFwIDAQAB"; + private static final String BASE_64_ENCODED_PUBLIC_KEY = "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAotfZw5IAGCV4V/L/AblIO5DL/hrLTwC9MDlVoEEcL8rgrF4GIZrzhInQhqwjoY8FelThezK68ccMz4i+hi3Mup9kHNhYjlZo+A14gXV+omEzAFiWtqOsISvifSxrMi849LQuXfImqlKNRLzp+YSkr4oJq7OE7QmxlLwpAzFj623c6Z9NSj+NdoE3bRrS2F1SSGYYyHEMyV005TdzKnqtjwtkga2RPNZCnyepU6OuF/HrIUoBTIVpgd4aZC2lKSBY9GNBMxZLd0yCsXNLXRXnR0itaNh0clYkxUSa3PemqjBsr79hLFn2yQKDsBwSCBAfBsgbpAA84PF5Jl4dw6rl0wIDAQAB"; /*客户端*/ private BillingClient billingClient; diff --git a/core/src/main/java/com/yizhuan/xchat_android_core/noble/NobleDataManager.java b/core/src/main/java/com/yizhuan/xchat_android_core/noble/NobleDataManager.java index aceefcb66..500abde67 100644 --- a/core/src/main/java/com/yizhuan/xchat_android_core/noble/NobleDataManager.java +++ b/core/src/main/java/com/yizhuan/xchat_android_core/noble/NobleDataManager.java @@ -7,8 +7,8 @@ import androidx.collection.LongSparseArray; import com.google.gson.Gson; import com.google.gson.reflect.TypeToken; -import com.yizhuan.xchat_android_core.R; import com.yizhuan.xchat_android_core.DemoCache; +import com.yizhuan.xchat_android_core.R; import com.yizhuan.xchat_android_core.bean.response.ServiceResult; import com.yizhuan.xchat_android_core.initial.InitialModel; import com.yizhuan.xchat_android_core.initial.NobleResourceComponent; @@ -218,39 +218,40 @@ public class NobleDataManager { isRequesting = false; } }).flatMap(new Function>() { - @Override - public SingleSource apply(ResponseBody responseBody) throws Exception { - InputStream inputStream = responseBody.byteStream(); - if (inputStream == null) return Single.error(new Exception(ResUtil.getString(R.string.xchat_android_core_noble_nobledatamanager_01))); - if (nobleZipPath.exists()) { - // 删除旧的zip包 - nobleZipPath.delete(); - } else { - // 创建其父目录 - if (!nobleZipPath.getParentFile().exists()) { - nobleZipPath.getParentFile().mkdirs(); + @Override + public SingleSource apply(ResponseBody responseBody) throws Exception { + InputStream inputStream = responseBody.byteStream(); + if (inputStream == null) + return Single.error(new Exception(ResUtil.getString(R.string.xchat_android_core_noble_nobledatamanager_01))); + if (nobleZipPath.exists()) { + // 删除旧的zip包 + nobleZipPath.delete(); + } else { + // 创建其父目录 + if (!nobleZipPath.getParentFile().exists()) { + nobleZipPath.getParentFile().mkdirs(); + } + } + OutputStream fileOutputStream = new FileOutputStream(nobleZipPath); + byte[] bytes = new byte[1024]; + int read; + while ((read = inputStream.read(bytes, 0, bytes.length)) != -1) { + fileOutputStream.write(bytes, 0, read); + } + fileOutputStream.flush(); + fileOutputStream.close(); + inputStream.close(); + // 解压缩是否成功 + return Single.just(unzipNobleZipFile()); } - } - OutputStream fileOutputStream = new FileOutputStream(nobleZipPath); - byte[] bytes = new byte[1024]; - int read; - while ((read = inputStream.read(bytes, 0, bytes.length)) != -1) { - fileOutputStream.write(bytes, 0, read); - } - fileOutputStream.flush(); - fileOutputStream.close(); - inputStream.close(); - // 解压缩是否成功 - return Single.just(unzipNobleZipFile()); - } - }).observeOn(AndroidSchedulers.mainThread()).subscribe(new Consumer() { - @Override - public void accept(Boolean aBoolean) throws Exception { - if (!aBoolean) return; - IMNetEaseManager.get().getChatRoomEventObservable() - .onNext(new RoomEvent().setEvent(RoomEvent.ON_NOBLE_CAN_USE)); - } - }); + }).observeOn(AndroidSchedulers.mainThread()).subscribe(new Consumer() { + @Override + public void accept(Boolean aBoolean) throws Exception { + if (!aBoolean) return; + IMNetEaseManager.get().getChatRoomEventObservable() + .onNext(new RoomEvent().setEvent(RoomEvent.ON_NOBLE_CAN_USE)); + } + }); } @@ -321,6 +322,12 @@ public class NobleDataManager { continue; } file = new File(parent, entry.getName()); + try { + ensureZipPathSafety(file, parent); + } catch (Exception e) { + e.printStackTrace(); + return false; + } if (!file.exists()) { (new File(file.getParent())).mkdirs(); } else if (file.exists() && file.isFile() && file.length() > 0) { @@ -347,6 +354,13 @@ public class NobleDataManager { return true; } + private void ensureZipPathSafety(final File outputFile, final String destDirectory) throws Exception { + String destDirCanonicalPath = (new File(destDirectory)).getCanonicalPath(); + String outputFileCanonicalPath = outputFile.getCanonicalPath(); + if (!outputFileCanonicalPath.startsWith(destDirCanonicalPath)) { + throw new Exception(String.format("Found Zip Path Traversal Vulnerability with %s", destDirCanonicalPath)); + } + } public NobleInfo getNobleByUid(String uid) { if (TextUtils.isEmpty(uid)) return null; @@ -399,7 +413,7 @@ public class NobleDataManager { .observeOn(AndroidSchedulers.mainThread()); } - public File getUserLevelPath(){ + public File getUserLevelPath() { return userLevelPath; }