It seems that file name escaping by ["] is better solution.
http://www.speechcomputing.com/node/2577
private static boolean isQuoted(String arg, String errorMessage) {
int lastPos = arg.length() - 1;
if (lastPos >=1 && arg.charAt(0) == '"' && arg.charAt(lastPos)
== '"') {
// The argument has already been quoted.
if (arg.indexOf('"', 1) != lastPos) {
// There is ["] inside.
throw new IllegalArgumentException(errorMessage);
}
return true;
}
if (arg.indexOf('"') >= 0) {
// There is ["] inside.
throw new IllegalArgumentException(errorMessage);
}
return false;
}
private static String getExecutablePath(File file)
throws IOException
{
String path = file.getPath();
boolean pathIsQuoted = isQuoted(path,
"File name has embedded quote");
return pathIsQuoted
? path
: ("\"" + path + "\"");
}
this.ShellExecute(getExecutablePath(file), ACTION_XXXX_VERB);
That reduces the injection scenario and is more compatible with
[ShellExecute] spec:
http://msdn.microsoft.com/en-gb/library/windows/desktop/bb762153%28v=vs.85%29.aspx
Regards,
-uta
On 01.03.2013 19:17, Artem Ananiev wrote:
Your comments are welcome ;)
Thanks,
Artem
-------- Original Message --------
Subject: <AWT Dev> [8] Review request for 6550588: java.awt.Desktop
cannot open file with Windows UNC filename
Date: Fri, 01 Mar 2013 18:38:03 +0400
From: Anton Litvinov <[email protected]>
Organization: Oracle Corporation
To: [email protected]
Hello,
Please review the following fix for a bug.
Bug: http://bugs.sun.com/view_bug.do?bug_id=6550588
Webrev: http://cr.openjdk.java.net/~alitvinov/6550588/webrev.00
The bug consists in inability to open a file with Windows UNC pathname
by means of "java.awt.Desktop.open" method. The solution adds code to
"sun.awt.windows.WDesktopPeer" class which modifies URI received as a
result of a call to "java.io.File.toURI" method to make it satisfy the
requirements of Windows API concerning a number of consecutive '/'
characters following a scheme part of URI. Also regression tests related
to "java.awt.Desktop" were run on Windows XP and Windows 7, no negative
changes were detected.
A comment with the latest information about the analysis of this issue
was added to the bug's page, but it is not available at
"http://bugs.sun.com"; yet, because of the time required for
synchronization. Therefore it is provided below.
The comment:
During analysis of this bug the following facts were defined:
1. URI strings constructed from Windows UNC pathnames like former
mentioned "\\host\path\to\f i l e.txt" can still be handled by
"ShellExecute()" Windows Shell function, if the URI string is not
encoded. Presence of space characters in the URI string does not
make the function fail, for example "file:////host/path/to/f i l
e.txt" can be successfully processed by "ShellExecute()" function.
2. Windows API is designed to handle URI strings with "file"
protocol scheme correctly, when the strings have certain number of
'/' characters after the scheme name:
- 2 slashes for URI converted from a Windows UNC pathname. For
example, "\\host\path\to\f i l e.txt" corresponds to the URI
"file://host/path/to/f%20i%20l%20e.txt".
- 3 slashes for URI converted from a local Windows file path.
For example, "C:\Temp Dir\f i l e.txt" corresponds to the URI
"file:///C:/Temp%20Dir/f%20i%20l%20e.txt".
This fact is described in the article at the following URL
(http://blogs.msdn.com/b/ie/archive/2006/12/06/file-uris-in-windows.aspx).
3. Current implementation of the class "java.io.File" converts
abstract file names to URI in the following way:
- "C:\Temp\File.txt" -> "file:/C:/Temp/File.txt".
- "\\host\SharedFolder\Temp\File.txt" ->
"file:////host/SharedFolder/Temp/File.txt".
Since "java.io.File" is cross-platform and stable, perhaps,
additional modification of the URI string to the format expected by
Windows API can be implemented in Windows specific part of
"java.awt.Desktop" class.
Thank you,
Anton
