Disallow .. in file path. Also logging, imports

src/main/java/org/dynmap/web/handlers/FileHandler.java

@@ -6,7 +6,6 @@ import java.io.OutputStream;
 import java.util.HashMap;
 import java.util.LinkedList;
 import java.util.Map;
-import java.util.logging.Logger;
 
 import org.dynmap.web.HttpField;
 import org.dynmap.web.HttpHandler;
@@ -15,8 +14,6 @@ import org.dynmap.web.HttpResponse;
 import org.dynmap.web.HttpStatus;
 
 public abstract class FileHandler implements HttpHandler {
-    protected static final Logger log = Logger.getLogger("Minecraft");
-    protected static final String LOG_PREFIX = "[dynmap] ";
     //BUG-this breaks re-entrancy of this handler, which is called from multiple threads (one per request)
     //private byte[] readBuffer = new byte[40960];
     //Replace with pool of buffers
@@ -59,7 +56,7 @@ public abstract class FileHandler implements HttpHandler {
         if (qmark >= 0)
             path = path.substring(0, qmark);
 
-        if (path.startsWith("/") || path.startsWith("."))
+        if (path.startsWith("/") || path.startsWith(".") || path.contains(".."))
             return null;
         if (path.length() == 0)
             path = getDefaultFilename(path);

src/main/java/org/dynmap/web/handlers/FilesystemHandler.java

@@ -21,6 +21,9 @@ public class FilesystemHandler extends FileHandler {
     }
     @Override
     protected InputStream getFileInput(String path, HttpRequest request, HttpResponse response) {
+        if(path == null)
+            return null;
+
         File file = new File(root, path);
         FileLockManager.getReadLock(file);
         if (file.getAbsolutePath().startsWith(root.getAbsolutePath()) && file.isFile()) {