Merge pull request DSpace#11273 from tdonohue/port_11171_to_7x

tdonohue · web-flow · commit a063a7a4f6b3 · 2025-09-08T13:23:38.000-05:00
[Port dspace-7_x] Error in file upload after security fixes
diff --git a/dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java b/dspace-api/src/main/java/org/dspace/storage/bitstore/DSBitStoreService.java
@@ -19,9 +19,11 @@
 import java.util.List;
 import java.util.Map;
 
+import org.apache.commons.lang3.StringUtils;
 import org.apache.logging.log4j.Logger;
 import org.dspace.content.Bitstream;
 import org.dspace.core.Utils;
+import org.dspace.services.factory.DSpaceServicesFactory;
 
 /**
  * Native DSpace (or "Directory Scatter" if you prefer) asset store.
@@ -252,7 +254,10 @@ protected File getFile(Bitstream bitstream) throws IOException {
         }
         File bitstreamFile = new File(bufFilename.toString());
         Path normalizedPath = bitstreamFile.toPath().normalize();
-        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())) {
+        String[] allowedAssetstoreRoots = DSpaceServicesFactory.getInstance().getConfigurationService()
+                .getArrayProperty("assetstore.allowed.roots", new String[]{});
+        if (!normalizedPath.startsWith(baseDir.getAbsolutePath())
+            && !StringUtils.startsWithAny(normalizedPath.toString(), allowedAssetstoreRoots)) {
             log.error("Bitstream path outside of assetstore root requested:" +
                     "bitstream={}, path={}, assetstore={}",
                     bitstream.getID(), normalizedPath, baseDir.getAbsolutePath());
diff --git a/dspace/config/modules/assetstore.cfg b/dspace/config/modules/assetstore.cfg
@@ -12,12 +12,15 @@ assetstore.dir = ${dspace.dir}/assetstore
 # This value will be used as `incoming` default store inside the `bitstore.xml`
 # Possible values are:
 #     - 0: to use the `localStore`;
-#     - 1: to use the `s3Store`. 
+#     - 1: to use the `s3Store`.
 # If you want to add additional assetstores, they must be added to that bitstore.xml
 # and new values should be provided as key-value pairs in the `stores` map of the
-# `bitstore.xml` configuration. 
+# `bitstore.xml` configuration.
 assetstore.index.primary = 0
 
+#if the assetstore path is symbolic link, use this configuration to allow that path.
+#assetstore.allowed.roots = /data/assetstore
+
 #---------------------------------------------------------------#
 #-------------- Amazon S3 Specific Configurations --------------#
 #---------------------------------------------------------------#
@@ -54,4 +57,4 @@ assetstore.s3.awsSecretKey =
 
 # If the credentials are left empty,
 # then this setting is ignored and the default AWS region will be used.
-assetstore.s3.awsRegionName =
+assetstore.s3.awsRegionName =
