From 59a3e98d73a57584a5dd97ddea23e91eb7080990 Mon Sep 17 00:00:00 2001
From: Cristian Maglie <c.maglie@arduino.cc>
Date: Tue, 21 Jan 2020 10:42:12 +0100
Subject: [PATCH 1/2] Improved sanity checks on filenames in package_index.json

---
 .../contributions/DownloadableContributionsDownloader.java    | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
index 4ddca67b3cd..68b88a9f931 100644
--- a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
+++ b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
@@ -62,7 +62,9 @@ public File download(DownloadableContribution contribution, Progress progress, f
 
   public File download(DownloadableContribution contribution, Progress progress, final String statusText, ProgressListener progressListener, boolean noResume, boolean allowCache) throws Exception {
     URL url = new URL(contribution.getUrl());
-    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), contribution.getArchiveFileName());
+    // Filter out paths from file name
+    String filename = new File(contribution.getArchiveFileName()).getName();
+    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), filename);
 
     // Ensure the existence of staging folder
     Files.createDirectories(stagingFolder.toPath());

From 723f19e9b5f727cdd3b89c7c0998c0db30f66977 Mon Sep 17 00:00:00 2001
From: Cristian Maglie <c.maglie@arduino.cc>
Date: Tue, 21 Jan 2020 12:32:51 +0100
Subject: [PATCH 2/2] Even stricter sanity checks

---
 .../contributions/DownloadableContributionsDownloader.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
index 68b88a9f931..ee32dff5386 100644
--- a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
+++ b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
@@ -64,7 +64,10 @@ public File download(DownloadableContribution contribution, Progress progress, f
     URL url = new URL(contribution.getUrl());
     // Filter out paths from file name
     String filename = new File(contribution.getArchiveFileName()).getName();
-    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), filename);
+    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), filename).normalize();
+    if (outputFile.toFile().isDirectory()) {
+      throw new Exception(format("Can't download {0}: invalid filename or exinsting directory", contribution.getArchiveFileName()));
+    }
 
     // Ensure the existence of staging folder
     Files.createDirectories(stagingFolder.toPath());