myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeanne Waldman (JIRA)" <...@myfaces.apache.org>
Subject [jira] Created: (TRINIDAD-703) Make image loading more secure
Date Tue, 11 Sep 2007 22:17:32 GMT
Make image loading more secure
------------------------------

                 Key: TRINIDAD-703
                 URL: https://issues.apache.org/jira/browse/TRINIDAD-703
             Project: MyFaces Trinidad
          Issue Type: Bug
            Reporter: Jeanne Waldman
            Assignee: Jeanne Waldman


Andy Schwartz found this issue:

We register our image resource loader with a fairly loose pattern:
    register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
             new CoreClassLoaderResourceLoader(parent));

In theory could someone get at an image on the class path outside of our own
images by doing crafting a funky URL along the lines of
 "../../../../oracle/someotherpackage/foo.gif"? 
ClassLoaderResourceLoader
should prevent access outside of the "rootPackage".


-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message