Wow! Great comment. I changed the URI to: <cocoon base URI>/download?file=../../../conf/web.xml
and actually accessed the file. Is this a concern to anyone else? Thanks Per. Matthew > Note: not sure if this will happen, but passing the file name > as a request, you may want to make sure that it doesn't > contain a sequence of '../' such that the user is walking up > your tree to get at some other resource outside 'download'. > I'm not sure if the resolver prevents this automatically or not. > > Per > --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
