From 113c56d6578ad72e528fd093f65831f0b76127cd Mon Sep 17 00:00:00 2001
From: Cristian Maglie <c.maglie@arduino.cc>
Date: Tue, 21 Jan 2020 12:32:51 +0100
Subject: [PATCH] Even stricter sanity checks

---
 .../contributions/DownloadableContributionsDownloader.java   | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
index 68b88a9f9..ee32dff53 100644
--- a/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
+++ b/arduino-core/src/cc/arduino/contributions/DownloadableContributionsDownloader.java
@@ -64,7 +64,10 @@ public class DownloadableContributionsDownloader {
     URL url = new URL(contribution.getUrl());
     // Filter out paths from file name
     String filename = new File(contribution.getArchiveFileName()).getName();
-    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), filename);
+    Path outputFile = Paths.get(stagingFolder.getAbsolutePath(), filename).normalize();
+    if (outputFile.toFile().isDirectory()) {
+      throw new Exception(format("Can't download {0}: invalid filename or exinsting directory", contribution.getArchiveFileName()));
+    }
 
     // Ensure the existence of staging folder
     Files.createDirectories(stagingFolder.toPath());