tapestry-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dmitry Gusev <dmitry.gu...@gmail.com>
Subject Re: Rationale behind the pathPattern regex in the RegexAuthorizer contribution
Date Tue, 19 Jan 2010 20:02:59 GMT
Then why not restrict relatives paths only?

Current implementation forbid paths like:

/path/to/file-1.0.0.png

This isn't relative path but it has periods in filename.

On Tue, Jan 19, 2010 at 20:45, Robert Zeigler <robertz@scazdl.org> wrote:

> To avoid attempts at circumventing restrictions via relative path
> specifications:
> /path/to/available/resource/../../../../path/to/secure/resource
>
> Some (most? all?) browsers will kindly get rid of the relative path
> reference from the request, but it's certainly possible via, eg, curl, wget,
> etc. to craft such a request.  Since we're not actually resolving the asset
> and determining the absolute location, only looking at the requested path
> via regex, it's prudent to deter such attempts.
>
> Robert
>
>
> On Jan 19, 2010, at 1/194:26 AM , Ulrich Stärk wrote:
>
>  What was the rationale behind not allowing dots in the path part of the
>> URL and additional dots in the filename?
>>
>> Are there any objections against allowing them?
>>
>> Uli
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>


-- 
Dmitry Gusev

AnjLab Team
http://anjlab.com

Mime
  • Unnamed multipart/alternative (inline, None, 0 bytes)
View raw message