cocoon-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Per Kreipke" <...@onclave.com>
Subject RE: Download Server - directory access denied
Date Tue, 20 Aug 2002 18:09:01 GMT
> Wow! Great comment. I changed the URI to:
>
>   <cocoon base URI>/download?file=../../../conf/web.xml
>
> and actually accessed the file. Is this a concern to anyone else?
>
> Thanks Per.

Sure.

It might be a concern to others, but doing it in the resolver would probably
break just about everything in C2: the resolver is used by the sitemap to
get relative URLs for every pipeline, matcher etc. And viewing the source
using the samples might use relative paths.

I suggest that you subclass the default reader (which is what you're using I
believe) and remove all string occurrences of '../' or '/..' or somesuch
before resolving. Then let the rest of the reader's code execute, thereby
returning 'invalid resource' errors when appropriate.

Note: You might want to remove the 'download' prefix on the <map:read> in
your sitemap and see if all of a sudden absolute URLs work too. Ouch if they
do.

Per


---------------------------------------------------------------------
Please check that your question  has not already been answered in the
FAQ before posting.     <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail:     <cocoon-users-unsubscribe@xml.apache.org>
For additional commands, e-mail:   <cocoon-users-help@xml.apache.org>


Mime
View raw message