geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ga...@apache.org
Subject svn commit: r757300 - in /geronimo/server/trunk/framework/modules/geronimo-kernel/src: main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java
Date Mon, 23 Mar 2009 02:30:27 GMT
Author: gawor
Date: Mon Mar 23 02:30:27 2009
New Revision: 757300

URL: http://svn.apache.org/viewvc?rev=757300&view=rev
Log:
ensure resources can only be loaded from within the directory specified (GERONIMO-4600)

Modified:
    geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
    geronimo/server/trunk/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java

Modified: geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java?rev=757300&r1=757299&r2=757300&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
Mon Mar 23 02:30:27 2009
@@ -37,7 +37,7 @@
 
     public ResourceHandle getResourceHandle(String resourceName) {
         File file = new File(baseDir, resourceName);
-        if (!file.exists()) {
+        if (!file.exists() || !isLocal(file)) {
             return null;
         }
 
@@ -49,6 +49,16 @@
         }
     }
 
+    private boolean isLocal(File file) {
+        try {
+            String base = baseDir.getCanonicalPath();
+            String relative = file.getCanonicalPath();
+            return (relative.startsWith(base));
+        } catch (IOException e) {
+            return false;
+        }
+    }
+
     public Manifest getManifest() throws IOException {
         if (!manifestLoaded) {
             File manifestFile = new File(baseDir, "META-INF/MANIFEST.MF");

Modified: geronimo/server/trunk/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java?rev=757300&r1=757299&r2=757300&view=diff
==============================================================================
--- geronimo/server/trunk/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java
(original)
+++ geronimo/server/trunk/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java
Mon Mar 23 02:30:27 2009
@@ -110,6 +110,14 @@
         assertNull(resource.getManifest());
     }
 
+    public void testDirectoryResourceScope() throws Exception {
+        URL jar = new File(BASEDIR, "src/test/data/resourceFinderTest/jar1/").toURL();
+        UrlResourceFinder resourceFinder = new UrlResourceFinder(new URL[]{jar});
+
+        ResourceHandle resource = resourceFinder.getResource("../jar2/resource");
+        assertNull(resource);
+    }
+    
     public void testJarResource() throws Exception {
         URL jar = jarFile.toURL();
         UrlResourceFinder resourceFinder = new UrlResourceFinder(new URL[]{jar});



Mime
View raw message