archiva-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joakim Erdfelt <>
Subject Re: normalize usage in RepositoryAccess
Date Sat, 09 Dec 2006 03:24:36 GMT
The "Request Path" is what is being tested here.

Proper pattern is "/${repoId}/${pathToResource}"
The idea with the normalize found in RepositoryAccess is to prevent a
user from requesting resources outside of the repository tree, such
as /etc/passwd or /etc/groups or the configuration files for the

The process isn't as straight forward as it seems.
Normalize was a convenient way to handle test cases such as
"/central/../../../etc/passwd" which should return the
${pathToResource} of "/etc/passwd" which in turn is just
tacked onto the end of the actual filesystem path for the ${repoId}.

In this use case, having UNC support in normalize makes no sense.

Pardon my VooDoo (floater) induced reply.

- Joakim Erdfelt

Henri Yandell wrote:
> In looking at moving from Plexus FileUtils.normalize to IO
> FilenameUtils.normalize, there's on feature difference in that the
> latter does not convert '//etc/passwd' to '/etc/passwd'. Kenney
> suggests on #plexus that that is probably to support Windows SMB
> names.
> RepositoryAccessTest contains a test that now fails:
>        assertRequestPath( "central", "/etc/passwd",
> "/central//etc/passwd" );
> It returns '//etc/passwd'.
> Anyone know if the solution here is:
> a) To consider /etc/passwd the right answer.
> or
> b) To modify the getRepositoryPath method to fold '^//' into '/'.
> Or something else?
> Hen

View raw message