cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Upayavira ...@upaya.co.uk>
Subject Re: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java
Date Fri, 14 Nov 2003 14:43:07 GMT
Carsten Ziegeler wrote:

>Sylvain Wallez wrote:
>  
>
>>>          // Remove the protocol and the first '/'
>>> -        int pos = location.indexOf(":/");
>>> -        String path = location.substring(pos+1);
>>> +        final int pos = location.indexOf(":/");
>>> +        final String path = location.substring(pos+1);
>>> +        
>>> +        // fix for #24093, we don't give access to files 
>>>      
>>>
>>outside the context:
>>    
>>
>>> +        if ( path.indexOf("../") != -1 ) {
>>> +            throw new MalformedURLException("Invalid path 
>>>      
>>>
>>('../' is not allowed) : " + path);
>>    
>>
>>> +        }
>>> 
>>>
>>>      
>>>
>>Isn't this way of checking too strict? We can have perfectly valid cases 
>>where one concatenates a base "context://foo/bar/" base URI with a 
>>"../baz" relative path.
>>
>>    
>>
>Hmmm, who does such nice things?
>Ok, but you're right - don't we have a URL mangler somewhere that does
>this for us?
>
>Carsten
>  
>
IIRC NetUtils.normalize() will remove any .. from a URL. It splits on /, 
so it can handle a context: protocol, but how it deals with .. at the 
beginning of a URL I can't work out immediately. If it doesn't, it 
shouldn't be hard to patch it to work appropriately.

Don't know if this is relevent.

Regards, Upayavira



Mime
View raw message