DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395 [PATCH] don't normalize away /foo/.. for files as foo may be a symlink ------- Additional Comments From [EMAIL PROTECTED] 2003-07-13 10:08 ------- 1) >From Bruno Dumon wrote: BD> Even with normalizing, you can access (or at least address) BD> any file on the filesystem. This won't happen if the normalization won't allow anyone go up over the context-root configured. This is probably not the way the code is written now, but for security reasons it may well be preferrable not to allow anyone get via /../ over the root against which the resolution is done. Does it sound good? If we recode it to behave like this, we're back secure again 2) The request from Cocoon use case we're dealing with seems to require different behavior. Maybe I have missed something (and I really have missed what is being spoke about the URI absolutizer, but in general, since we're Avalon, and since we have all these nifty configs around, I guess it shouldn't be too difficult to configure SourceFactories almost in any way. Can this be a parameter to FileSource factory to switch off normalization? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
