Return-Path: 
 <dev-return-51454-apmail-cocoon-dev-archive=cocoon.apache.org@cocoon.apache.org>
Delivered-To: apmail-cocoon-dev-archive@www.apache.org
Received: (qmail 16248 invoked from network); 14 Nov 2003 14:11:14 -0000
Received: from daedalus.apache.org (HELO mail.apache.org) (208.185.179.12)
  by minotaur-2.apache.org with SMTP; 14 Nov 2003 14:11:14 -0000
Received: (qmail 85976 invoked by uid 500); 14 Nov 2003 14:10:34 -0000
Delivered-To: apmail-cocoon-dev-archive@cocoon.apache.org
Received: (qmail 85935 invoked by uid 500); 14 Nov 2003 14:10:33 -0000
Mailing-List: contact dev-help@cocoon.apache.org; run by ezmlm
Precedence: bulk
list-help: <mailto:dev-help@cocoon.apache.org>
list-unsubscribe: <mailto:dev-unsubscribe@cocoon.apache.org>
list-post: <mailto:dev@cocoon.apache.org>
Reply-To: dev@cocoon.apache.org
Delivered-To: mailing list dev@cocoon.apache.org
Received: (qmail 85870 invoked from network); 14 Nov 2003 14:10:33 -0000
Received: from unknown (HELO mail.s-und-n.de) (212.8.217.2)
  by daedalus.apache.org with SMTP; 14 Nov 2003 14:10:33 -0000
Received: from notes.sundn.de (ntsrv5.sundn.de [10.10.2.10])
	by mail.s-und-n.de (postfix) with ESMTP id BA2C6C9BFE
	for <dev@cocoon.apache.org>; Fri, 14 Nov 2003 15:10:33 +0100 (CET)
Received: from hw0386 ([10.10.2.46])
          by notes.sundn.de (Lotus Domino Release 5.0.8)
          with SMTP id 2003111415103258:5001 ;
          Fri, 14 Nov 2003 15:10:32 +0100
From: "Carsten Ziegeler" <cziegeler@s-und-n.de>
To: <dev@cocoon.apache.org>
Subject: RE: cvs commit:
 cocoon-2.1/src/java/org/apache/cocoon/components/source/impl
 ContextSourceFactory.java
Date: Fri, 14 Nov 2003 15:11:24 +0100
Message-ID: <LKENJPKDAIKAPKHEOCMMAECLGDAA.cziegeler@s-und-n.de>
MIME-Version: 1.0
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.6604 (9.0.2911.0)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
In-Reply-To: <3FB4DF8A.6050906@apache.org>
Importance: Normal
X-MIMETrack: Itemize by SMTP Server on PBSN1/Systeme und Netzwerke(Release
 5.0.8 |June
 18, 2001) at 14.11.2003 15:10:32,
	Serialize by Router on PBSN1/Systeme und Netzwerke(Release 5.0.8 |June 18,
 2001) at
 14.11.2003 15:10:33,
	Serialize complete at 14.11.2003 15:10:33
Content-Transfer-Encoding: 7bit
Content-Type: text/plain;
	charset="us-ascii"
X-Spam-Rating: daedalus.apache.org 1.6.2 0/1000/N
X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N

Sylvain Wallez wrote:
> 
> >           // Remove the protocol and the first '/'
> >  -        int pos = location.indexOf(":/");
> >  -        String path = location.substring(pos+1);
> >  +        final int pos = location.indexOf(":/");
> >  +        final String path = location.substring(pos+1);
> >  +        
> >  +        // fix for #24093, we don't give access to files 
> outside the context:
> >  +        if ( path.indexOf("../") != -1 ) {
> >  +            throw new MalformedURLException("Invalid path 
> ('../' is not allowed) : " + path);
> >  +        }
> >  
> >
> 
> Isn't this way of checking too strict? We can have perfectly valid cases 
> where one concatenates a base "context://foo/bar/" base URI with a 
> "../baz" relative path.
> 
Hmmm, who does such nice things?
Ok, but you're right - don't we have a URL mangler somewhere that does
this for us?

Carsten