myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeanne Waldman (JIRA)" <...@myfaces.apache.org>
Subject [jira] Commented: (TRINIDAD-703) Make image loading more secure
Date Fri, 14 Sep 2007 17:33:32 GMT

    [ https://issues.apache.org/jira/browse/TRINIDAD-703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12527576
] 

Jeanne Waldman commented on TRINIDAD-703:
-----------------------------------------

It turns out that Firefox and IE both resolve urls that have ".." in them to take out the
"..".  Even css background-image urls.

Therefore, it should be suspicious if we get a ".." in the path.
I plan to:

1. warn if I see ".." in the path, because this should never happen
2. if "..", then figure out if the resolved path lies within the root or not
3. severe error if the resolved path is outside the root.



> Make image loading more secure
> ------------------------------
>
>                 Key: TRINIDAD-703
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-703
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>            Reporter: Jeanne Waldman
>            Assignee: Jeanne Waldman
>
> Andy Schwartz found this issue:
> We register our image resource loader with a fairly loose pattern:
>     register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
>              new CoreClassLoaderResourceLoader(parent));
> In theory could someone get at an image on the class path outside of our own
> images by doing crafting a funky URL along the lines of
>  "../../../../oracle/someotherpackage/foo.gif"? 
> ClassLoaderResourceLoader
> should prevent access outside of the "rootPackage".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.


Mime
View raw message