cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bruno Dumon <br...@outerthought.org>
Subject RE: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java
Date Fri, 14 Nov 2003 14:29:59 GMT
On Fri, 2003-11-14 at 15:11, Carsten Ziegeler wrote:
> Sylvain Wallez wrote:
> > 
> > >           // Remove the protocol and the first '/'
> > >  -        int pos = location.indexOf(":/");
> > >  -        String path = location.substring(pos+1);
> > >  +        final int pos = location.indexOf(":/");
> > >  +        final String path = location.substring(pos+1);
> > >  +        
> > >  +        // fix for #24093, we don't give access to files 
> > outside the context:
> > >  +        if ( path.indexOf("../") != -1 ) {
> > >  +            throw new MalformedURLException("Invalid path 
> > ('../' is not allowed) : " + path);
> > >  +        }
> > >  
> > >
> > 
> > Isn't this way of checking too strict? We can have perfectly valid cases 
> > where one concatenates a base "context://foo/bar/" base URI with a 
> > "../baz" relative path.
> > 
> Hmmm, who does such nice things?

The one who does such nice things should use the method
SourceResolver.resolve(String location, String base, Map parameters)
instead of concatenating the two strings.

> Ok, but you're right - don't we have a URL mangler somewhere that does
> this for us?

The SourceResolver does all that.

-- 
Bruno Dumon                             http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno@outerthought.org                          bruno@apache.org


Mime
View raw message