Gary Benson a écrit : >Olivier Jolly wrote: > > >>I propose to check the validity of a File resource by walking through >>all the path components and making sure that all intermediate components >>are valid (ie File.isDirectory and File.exists are true) and that we >>never try to get "out" the root directory. >> >> > >What you describe is mostly implemented in File.getCanonicalPath(). >A fix for your issue might be as simple as: > > String base = new File(ROOT).getCanonicalPath() + File.separator; > String resource = new File(ROOT, RESOURCE).getCanonicalPath(); > if (!resource.startsWith(base)) > throw new Whatever(); > >where ROOT and RESOURCE are the classloader root and the resource >you're after, respectively. > > I implemented this but it doesn't satisfy all the behaviours of the sun implementation. Notably, the getCanonicalPath/File isn't aware of the root, so you can escape it and come back and still satisfy the startsWith condition while my first patch would have caught this "error" like sun's. It also seems to compact "xxx/../yyy" to "yyy" whether xxx exists or not, which doesn't mimic sun's behaviour neither. It really is a bummer since the getCanonicalPath/File trick looked very neat.
>Cheers, > > Take care >Gary > > > +Olivier
