The "Request Path" is what is being tested here.
Proper pattern is "/${repoId}/${pathToResource}"
The idea with the normalize found in RepositoryAccess is to prevent a
user from requesting resources outside of the repository tree, such
as /etc/passwd or /etc/groups or the configuration files for the
database.
The process isn't as straight forward as it seems.
Normalize was a convenient way to handle test cases such as
"/central/../../../etc/passwd" which should return the
${pathToResource} of "/etc/passwd" which in turn is just
tacked onto the end of the actual filesystem path for the ${repoId}.
In this use case, having UNC support in normalize makes no sense.
Pardon my VooDoo (floater) induced reply.
- Joakim Erdfelt
Henri Yandell wrote:
> In looking at moving from Plexus FileUtils.normalize to IO
> FilenameUtils.normalize, there's on feature difference in that the
> latter does not convert '//etc/passwd' to '/etc/passwd'. Kenney
> suggests on #plexus that that is probably to support Windows SMB
> names.
>
> RepositoryAccessTest contains a test that now fails:
>
> assertRequestPath( "central", "/etc/passwd",
> "/central//etc/passwd" );
>
> It returns '//etc/passwd'.
>
> Anyone know if the solution here is:
>
> a) To consider /etc/passwd the right answer.
> or
> b) To modify the getRepositoryPath method to fold '^//' into '/'.
>
> Or something else?
>
> Hen
>
