From 18e6b90b9c68a84b259c7ee124c19bb5574f4776 Mon Sep 17 00:00:00 2001
From: Kalpa Welivitigoda <callkalpa@gmail.com>
Date: Fri, 22 Apr 2016 02:37:49 +0530
Subject: [PATCH 1/2] Updating embedded tomcat version to 7.0.69

---
 pom.xml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pom.xml b/pom.xml
index ba6f9d6739..85cda0667e 100644
--- a/pom.xml
+++ b/pom.xml
@@ -1744,7 +1744,7 @@
         <!-- Stratos Version -->
         <stratos.version>2.2.0</stratos.version>
 
-        <version.tomcat>7.0.59</version.tomcat>
+        <version.tomcat>7.0.69</version.tomcat>
         <orbit.version.tomcat.servlet.api>${version.tomcat}.wso2v1</orbit.version.tomcat.servlet.api>
 
         <!-- Axiom Version -->

From 063c2d319a1149b1d5e03c5ccaa4fce5468a756c Mon Sep 17 00:00:00 2001
From: Kalpa Welivitigoda <callkalpa@gmail.com>
Date: Fri, 22 Apr 2016 02:43:31 +0530
Subject: [PATCH 2/2] SECURITYINTERNAL-90 : Allowing only CARBON_LOGFILE
 appender log files in the carbon log directory to be retrived from LogViewer
 admin service

---
 .../logging/service/util/LoggingUtil.java     | 35 ++++++++++++++++---
 1 file changed, 30 insertions(+), 5 deletions(-)

diff --git a/components/logging/org.wso2.carbon.logging.service/src/main/java/org/wso2/carbon/logging/service/util/LoggingUtil.java b/components/logging/org.wso2.carbon.logging.service/src/main/java/org/wso2/carbon/logging/service/util/LoggingUtil.java
index 7974446137..c0376cb5d2 100644
--- a/components/logging/org.wso2.carbon.logging.service/src/main/java/org/wso2/carbon/logging/service/util/LoggingUtil.java
+++ b/components/logging/org.wso2.carbon.logging.service/src/main/java/org/wso2/carbon/logging/service/util/LoggingUtil.java
@@ -54,6 +54,7 @@
 
 import java.io.BufferedInputStream;
 import java.io.BufferedReader;
+import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.IOException;
@@ -72,6 +73,7 @@ public class LoggingUtil {
 
     public static final String SYSTEM_LOG_PATTERN = "[%d] %5p - %x %m {%c}%n";
     private static final int MAX_LOG_MESSAGES = 200;
+    private static final String CARBON_LOGFILE_APPENDER = "CARBON_LOGFILE";
     private static final Log log = LogFactory.getLog(LoggingUtil.class);
     private static RegistryManager registryManager = new RegistryManager();
 
@@ -144,7 +146,7 @@ public static boolean isValidTenant(String domain) {
     public static boolean isFileAppenderConfiguredForST() {
         Logger rootLogger = Logger.getRootLogger();
         DailyRollingFileAppender logger = (DailyRollingFileAppender) rootLogger
-                .getAppender("CARBON_LOGFILE");
+                .getAppender(CARBON_LOGFILE_APPENDER);
         if (logger != null
                 && CarbonContext.getThreadLocalCarbonContext().getTenantId() == org.wso2.carbon.base.MultitenantConstants.SUPER_TENANT_ID) {
             return true;
@@ -427,10 +429,21 @@ public static String[] getLogLinesFromFile(String logFile, int maxLogs, int star
         return logsList.toArray(new String[logsList.size()]);
     }
 
-    private static InputStream getLocalInputStream(String logFile) throws FileNotFoundException {
-        String fileName = CarbonUtils.getCarbonLogsPath() + LoggingConstants.URL_SEPARATOR
-                + logFile;
-        InputStream is = new BufferedInputStream(new FileInputStream(fileName));
+    private static InputStream getLocalInputStream(String logFile) throws FileNotFoundException, LogViewerException {
+        Path logFilePath = Paths.get(CarbonUtils.getCarbonLogsPath(), logFile);
+
+        if (!isPathInsideBaseDirectory(Paths.get(CarbonUtils.getCarbonLogsPath()), logFilePath)) {
+            throw new LogViewerException("Specified log file path is outside carbon logs directory.");
+        }
+
+        FileAppender carbonLogFileAppender = (FileAppender) Logger.getRootLogger().getAppender(CARBON_LOGFILE_APPENDER);
+        String carbonLogFileName = new File(carbonLogFileAppender.getFile()).getName();
+
+        if (!logFilePath.getFileName().startsWith(carbonLogFileName)) {
+            throw new LogViewerException("Trying to access logs other than CARBON_LOGFILE appender log file.");
+        }
+
+        InputStream is = new BufferedInputStream(new FileInputStream(logFilePath.toString()));
         return is;
     }
 
@@ -486,5 +499,17 @@ private static int calculatePageLevel(int x) {
         return y;
     }
 
+    /**
+     * Tests if the provided path is inside the base directory path.
+     *
+     * @param baseDirPath absolute {@link Path} of the base directory in which we want to check whether the given path
+     *                    is inside
+     * @param path        relative {@link Path} to be tested
+     * @return {@code true} if the given path is inside the base directory path, otherwise {@code false}
+     */
+    private static boolean isPathInsideBaseDirectory(Path baseDirPath, Path path) {
+        Path resolvedPath = baseDirPath.resolve(path).normalize();
+        return resolvedPath.startsWith(baseDirPath);
+    }
 }