cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Niclas Hedhman <nic...@localbar.com>
Subject Re: [PATCH] Cocoon 2 Relative Directory Fix
Date Tue, 18 Apr 2000 06:06:56 GMT
"Timm, Sean" wrote:

> The following diff allows relative paths specified in the sitemap
> configuration file to be based off of the context root specified in the
> servlet engine configuration.  In other words, if the context "/cocoon" is
> mapped to "C:\my_cocoon_install\web", then specifying "../index.xml" will
> refer to  "C:\my_cocoon_install\index.xml" and "subdir/index.xml" will refer
> to "C:\my_cocoon_install\web\subdir\index.xml".
>
> This does bring up a question, though.  It seems to me that if I refer to
> "/whatever" in my sitemap, it should be relative to my context root, as
> well, so it should resolve as "C:\my_cocoon_install\whatever".  However, it
> currently resolves to "C:\whatever".  I'm not so sure that Cocoon should be
> playing outside of the context the servlet engine passes it.  The patch I am
> submitting only takes care of the relative paths, but it seems like we
> should handle these absolute paths differently, as well.

Isn't this a bit more complex in actual reality??

You are bringing up a very important point, which is security related. What
resources should Cocoon be allowed to obtain outside the Servlet context. How
do we restrict the use of ../../../ to obtain system information? How about
symbolic links?

The relativity of the root, and the relative paths is another issue. If we are
implementing multilevel sitemaps, sitemaps in directories and so forth, does it
mean that each of them has a different root, allowing for delegated management?

Not providing any answers, just asking relevant questions.

Niclas


Mime
View raw message