archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Henri Yandell" <flame...@gmail.com>
Subject Re: normalize usage in RepositoryAccess
Date Sat, 16 Dec 2006 01:23:09 GMT
Would changing it from:

            String path = FileUtils.normalize( repoPath );  // Plexus

to:

            String path = FilenameUtils.normalize( repoPath );  // IO
            path = path.replaceFirst("^//*", "/");

be a good enough fix?

Hen

On 12/8/06, Joakim Erdfelt <joakim@erdfelt.com> wrote:
> The "Request Path" is what is being tested here.
>
> Proper pattern is "/${repoId}/${pathToResource}"
> The idea with the normalize found in RepositoryAccess is to prevent a
> user from requesting resources outside of the repository tree, such
> as /etc/passwd or /etc/groups or the configuration files for the
> database.
>
> The process isn't as straight forward as it seems.
> Normalize was a convenient way to handle test cases such as
> "/central/../../../etc/passwd" which should return the
> ${pathToResource} of "/etc/passwd" which in turn is just
> tacked onto the end of the actual filesystem path for the ${repoId}.
>
> In this use case, having UNC support in normalize makes no sense.
>
> Pardon my VooDoo (floater) induced reply.
>
> - Joakim Erdfelt
>
>
> Henri Yandell wrote:
> > In looking at moving from Plexus FileUtils.normalize to IO
> > FilenameUtils.normalize, there's on feature difference in that the
> > latter does not convert '//etc/passwd' to '/etc/passwd'. Kenney
> > suggests on #plexus that that is probably to support Windows SMB
> > names.
> >
> > RepositoryAccessTest contains a test that now fails:
> >
> >        assertRequestPath( "central", "/etc/passwd",
> > "/central//etc/passwd" );
> >
> > It returns '//etc/passwd'.
> >
> > Anyone know if the solution here is:
> >
> > a) To consider /etc/passwd the right answer.
> > or
> > b) To modify the getRepositoryPath method to fold '^//' into '/'.
> >
> > Or something else?
> >
> > Hen
> >
>
>

Mime
View raw message