DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395 [PATCH] don't normalize away /foo/.. for files as foo may be a symlink ------- Additional Comments From [EMAIL PROTECTED] 2003-07-12 19:27 ------- The patch has not yet been applied, but I'll do it soon. Your example illustrated to me that your security concerns are not relevant here. This is because the SourceResolver doesn't know what the {1} part is, it just gets the whole string and performs normalization on that. It's up to the code constructing that string to perform normalization on the {1} part if it comes from an untrusted source. (And in an environment like Cocoon the {1} usually comes from the request URI, which is already normalized by the container, so that is safe already). --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
