avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21395] - [PATCH] don't normalize away /foo/.. for files as foo may be a symlink
Date Sat, 12 Jul 2003 19:27:56 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395

[PATCH] don't normalize away /foo/.. for files as foo may be a symlink





------- Additional Comments From bruno@outerthought.org  2003-07-12 19:27 -------
The patch has not yet been applied, but I'll do it soon. Your example
illustrated to me that your security concerns are not relevant here. This is
because the SourceResolver doesn't know what the {1} part is, it just gets the
whole string and performs normalization on that. It's up to the code
constructing that string to perform normalization on the {1} part if it comes
from an untrusted source. (And in an environment like Cocoon the {1} usually
comes from the request URI, which is already normalized by the container, so
that is safe already).

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@avalon.apache.org
For additional commands, e-mail: dev-help@avalon.apache.org


Mime
View raw message