archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joakim Erdfelt <joa...@erdfelt.com>
Subject Re: normalize usage in RepositoryAccess
Date Sat, 09 Dec 2006 03:24:36 GMT
The "Request Path" is what is being tested here.

Proper pattern is "/${repoId}/${pathToResource}"
The idea with the normalize found in RepositoryAccess is to prevent a
user from requesting resources outside of the repository tree, such
as /etc/passwd or /etc/groups or the configuration files for the
database.

The process isn't as straight forward as it seems.
Normalize was a convenient way to handle test cases such as
"/central/../../../etc/passwd" which should return the
${pathToResource} of "/etc/passwd" which in turn is just
tacked onto the end of the actual filesystem path for the ${repoId}.

In this use case, having UNC support in normalize makes no sense.

Pardon my VooDoo (floater) induced reply.

- Joakim Erdfelt


Henri Yandell wrote:
> In looking at moving from Plexus FileUtils.normalize to IO
> FilenameUtils.normalize, there's on feature difference in that the
> latter does not convert '//etc/passwd' to '/etc/passwd'. Kenney
> suggests on #plexus that that is probably to support Windows SMB
> names.
>
> RepositoryAccessTest contains a test that now fails:
>
>        assertRequestPath( "central", "/etc/passwd",
> "/central//etc/passwd" );
>
> It returns '//etc/passwd'.
>
> Anyone know if the solution here is:
>
> a) To consider /etc/passwd the right answer.
> or
> b) To modify the getRepositoryPath method to fold '^//' into '/'.
>
> Or something else?
>
> Hen
>


Mime
View raw message