cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Per Kreipke" <>
Subject RE: Download Server - directory access denied
Date Tue, 20 Aug 2002 18:09:01 GMT
> Wow! Great comment. I changed the URI to:
>   <cocoon base URI>/download?file=../../../conf/web.xml
> and actually accessed the file. Is this a concern to anyone else?
> Thanks Per.


It might be a concern to others, but doing it in the resolver would probably
break just about everything in C2: the resolver is used by the sitemap to
get relative URLs for every pipeline, matcher etc. And viewing the source
using the samples might use relative paths.

I suggest that you subclass the default reader (which is what you're using I
believe) and remove all string occurrences of '../' or '/..' or somesuch
before resolving. Then let the rest of the reader's code execute, thereby
returning 'invalid resource' errors when appropriate.

Note: You might want to remove the 'download' prefix on the <map:read> in
your sitemap and see if all of a sudden absolute URLs work too. Ouch if they


Please check that your question  has not already been answered in the
FAQ before posting.     <>

To unsubscribe, e-mail:     <>
For additional commands, e-mail:   <>

View raw message