cocoon-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Carsten Ziegeler" <cziege...@s-und-n.de>
Subject RE: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java
Date Fri, 14 Nov 2003 14:11:24 GMT
Sylvain Wallez wrote:
> 
> >           // Remove the protocol and the first '/'
> >  -        int pos = location.indexOf(":/");
> >  -        String path = location.substring(pos+1);
> >  +        final int pos = location.indexOf(":/");
> >  +        final String path = location.substring(pos+1);
> >  +        
> >  +        // fix for #24093, we don't give access to files 
> outside the context:
> >  +        if ( path.indexOf("../") != -1 ) {
> >  +            throw new MalformedURLException("Invalid path 
> ('../' is not allowed) : " + path);
> >  +        }
> >  
> >
> 
> Isn't this way of checking too strict? We can have perfectly valid cases 
> where one concatenates a base "context://foo/bar/" base URI with a 
> "../baz" relative path.
> 
Hmmm, who does such nice things?
Ok, but you're right - don't we have a URL mangler somewhere that does
this for us?

Carsten

Mime
View raw message