avalon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 21395] - [PATCH] don't normalize away /foo/.. for files as foo may be a symlink
Date Sun, 13 Jul 2003 10:08:01 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395

[PATCH] don't normalize away /foo/.. for files as foo may be a symlink





------- Additional Comments From tagunov@motor.ru  2003-07-13 10:08 -------
1)

>From Bruno Dumon wrote:

BD> Even with normalizing, you can access (or at least 
address) 
BD> any file on the filesystem.

This won't happen if the normalization won't 
allow anyone go up over
the context-root configured. This is probably not the way the code 
is
written now, but for security reasons it may well be preferrable not
to allow anyone get via 
/../ over the root against which the resolution
is done.

Does it sound good?

If we 
recode it to behave like this, we're back secure again

2)

The request from Cocoon use case 
we're dealing with seems to require different
behavior. Maybe I have missed something (and I 
really have missed what is being
spoke about the URI absolutizer,
but in general, since we're 
Avalon, and since we have
all these nifty configs around, I guess it
shouldn't be too 
difficult to configure SourceFactories
almost in any way. Can this be a parameter to 
FileSource
factory to switch off normalization?

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@avalon.apache.org
For additional commands, e-mail: dev-help@avalon.apache.org


Mime
View raw message