[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688620#action_12688620 ] Stoil Valchkov commented on AXIS2-4282: --- This fix will actually reject case like import location ../test.xsd in META-INF/dir1/dir2/test.wsdl which is perfectly valid. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688697#action_12688697 ] Jarek Gawor commented on AXIS2-4282: Stoil, No, it won't. It's the wsdl parser responsibility to resolve ../test.xsd against META-INF/dir1/dir2/test.wsdl. That results in META-INF/dir1/test.xsd which then should be passed to the classloader. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688700#action_12688700 ] Andreas Veithen commented on AXIS2-4282: ...except that this is probably not how the WSDL parser works. I didn't look at the code but I bet that the parser would first call getResource and than resolve ../test.xsd against the returned URL. Since in the case discussed here, this will be a file: URL, the WSDL could still reference imports that are located outside of the root directory. (Note that this is actually not a security issue.) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688713#action_12688713 ] Jarek Gawor commented on AXIS2-4282: WSDL parser resolves relative imports based on the location of the document which has those imports. So for example if META-INF/dir1/dir2/test.wsdl document has an import on ../test.xsd then this will resolve to META-INF/dir1/test.xsd. If the document is a file url or jar url or whatever url, the relative import will still be the same type of url just with the resolved path as described before. But this issue and fix has nothing to do with how wsdl and xsd imports are handled or resolved. The classloader that is tied to a particular directory must only serve resources and classes from within that directory. The fix ensures that. That's all. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688263#action_12688263 ] Andreas Veithen commented on AXIS2-4282: I was wondering whether .. is actually allowed in Java resource names. If not, we should try to implement JarFileClassLoader correctly once and for all. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688340#action_12688340 ] Jarek Gawor commented on AXIS2-4282: I'm not too worried about that. In 99.99% cases no one will try to use .. in resource names unless they are trying to hack something or are doing something totally wrong. But of course, if you want to improve this, please go ahead. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688201#action_12688201 ] Davanum Srinivas commented on AXIS2-4282: - Jarek, JarFileClassLoader was originally from Geronimo... thanks, dims JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanelfocusedCommentId=12688204#action_12688204 ] Jarek Gawor commented on AXIS2-4282: Yep. It's fixed in Geronimo too. JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath --- Key: AXIS2-4282 URL: https://issues.apache.org/jira/browse/AXIS2-4282 Project: Axis 2.0 (Axis2) Issue Type: Bug Components: kernel Affects Versions: 1.5, nightly Reporter: Jarek Gawor Assignee: Jarek Gawor Fix For: 1.5, nightly If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system. The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified. -- This message is automatically generated by JIRA. - You can reply to this email to add a comment to the issue online.