cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Sylvain Wallez <sylv...@apache.org>
Subject Re: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java
Date Fri, 14 Nov 2003 13:58:34 GMT
cziegeler@apache.org wrote:

>cziegeler    2003/11/14 05:02:09
>
>  Modified:    .        status.xml
>               src/java/org/apache/cocoon/components/source/impl
>                        ContextSourceFactory.java
>  Log:
>     <action dev="CZ" type="fix" fixes-bug="24093">
>       Disable accessing files outside the context via the context protocol.
>     </action> 
>  
>
<snip/>

>           // Remove the protocol and the first '/'
>  -        int pos = location.indexOf(":/");
>  -        String path = location.substring(pos+1);
>  +        final int pos = location.indexOf(":/");
>  +        final String path = location.substring(pos+1);
>  +        
>  +        // fix for #24093, we don't give access to files outside the context:
>  +        if ( path.indexOf("../") != -1 ) {
>  +            throw new MalformedURLException("Invalid path ('../' is not allowed) :
" + path);
>  +        }
>  
>

Isn't this way of checking too strict? We can have perfectly valid cases 
where one concatenates a base "context://foo/bar/" base URI with a 
"../baz" relative path.

Sylvain

-- 
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -  http://www.orixo.com



Mime
View raw message