Arbitrary file creation in AbstractRendererExporterImpl

To reproduce:
1. Create a new space.
2. Create a new page.
3. Attach a file called test.txt to the page.
3. Edit the page, and add an image with the URL:

/confluence/s/download/attachments/[page_id]/_/../../../../../../../../../../../../tmp/test.txt

([page_id] must be replaced with the actual page id, an /confluence must be replaced with the base path, eg /wiki on OD)

4. Export the space as HTML.
5. test.txt will appear in /tmp.

The name test.txt is just for the example. This could also be used to create a plugin or script file, leading to code execution.

The path traversal occurs in exportResource in AbstractRendererExporterImpl.java. This is all that needs to be fixed.

The exploit is also taking advantage of the flexible nature of AttachmentUrlParser and the fact that ExportPathUtils removes the static resource prefix from files which can later be treated as attachments, although neither of these are vulnerabilities. The path is being examined as an attachment in two different places: in getExportPathFromAttachment where the "/attachment" has been filtered because it looks like the static resource prefix, and later in AttachmentUrlParser where the "/attachment" hasn't been filtered. This allows access to the attachment file stream, while not using the path provided by Attachment.getExportPath().

The export is being written by default to
"<homedir>/temp/htmlexport-20130912-093912-13"