cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java

14 Nov 2003 13:02:11 -0000 

cziegeler    2003/11/14 05:02:09

  Modified:    .        status.xml
               src/java/org/apache/cocoon/components/source/impl
                        ContextSourceFactory.java
  Log:
     <action dev="CZ" type="fix" fixes-bug="24093">
       Disable accessing files outside the context via the context protocol.
     </action> 
  
  Revision  Changes    Path
  1.194     +4 -4      cocoon-2.1/status.xml
  
  Index: status.xml
  ===================================================================
  RCS file: /home/cvs/cocoon-2.1/status.xml,v
  retrieving revision 1.193
  retrieving revision 1.194
  diff -u -r1.193 -r1.194
  --- status.xml        13 Nov 2003 12:32:47 -0000      1.193
  +++ status.xml        14 Nov 2003 13:02:09 -0000      1.194
  @@ -192,9 +192,9 @@
     <changes>
   
    <release version="@version@" date="@date@">
  -  <action dev="NN" type="fix">
  -    DUMMY
  -  </action>
  +   <action dev="CZ" type="fix" fixes-bug="24093">
  +     Disable accessing files outside the context via the context protocol.
  +   </action> 
    </release>
    <release version="2.1.3" date="November 13 2003">
      <action dev="DC" type="fix" fixes-bug="24463" due-to-email="[EMAIL 
PROTECTED]" due-to="Leo Leonid">
  
  
  
  1.5       +12 -6     
cocoon-2.1/src/java/org/apache/cocoon/components/source/impl/ContextSourceFactory.java
  
  Index: ContextSourceFactory.java
  ===================================================================
  RCS file: 
/home/cvs/cocoon-2.1/src/java/org/apache/cocoon/components/source/impl/ContextSourceFactory.java,v
  retrieving revision 1.4
  retrieving revision 1.5
  diff -u -r1.4 -r1.5
  --- ContextSourceFactory.java 25 Oct 2003 18:06:20 -0000      1.4
  +++ ContextSourceFactory.java 14 Nov 2003 13:02:09 -0000      1.5
  @@ -69,9 +69,10 @@
   import org.apache.cocoon.environment.Context;
   
   /**
  - * A factory for the context protocol using the context of the servlet api. 
It builds the
  - * source by asking the environment context for the real URL
  - * (see [EMAIL PROTECTED] 
org.apache.cocoon.environment.Context#getResource(String)}) and then resolving 
this real URL.
  + * A factory for the context protocol using the context of the servlet api. 
  + * It builds the source by asking the environment context for the real URL
  + * (see [EMAIL PROTECTED] 
org.apache.cocoon.environment.Context#getResource(String)}) 
  + * and then resolving this real URL.
    *
    * @author <a href="mailto:[EMAIL PROTECTED]">Carsten Ziegeler</a>
    * @author <a href="http://www.apache.org/~sylvain";>Sylvain Wallez</a>
  @@ -142,8 +143,13 @@
           }
                   
           // Remove the protocol and the first '/'
  -        int pos = location.indexOf(":/");
  -        String path = location.substring(pos+1);
  +        final int pos = location.indexOf(":/");
  +        final String path = location.substring(pos+1);
  +        
  +        // fix for #24093, we don't give access to files outside the context:
  +        if ( path.indexOf("../") != -1 ) {
  +            throw new MalformedURLException("Invalid path ('../' is not 
allowed) : " + path);
  +        }
           
           URL u;

Reply via email to