Re: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java

[Sylvain Wallez]

[EMAIL PROTECTED] wrote:

cziegeler    2003/11/14 05:02:09

 Modified:    .        status.xml
              src/java/org/apache/cocoon/components/source/impl
                       ContextSourceFactory.java
 Log:
    <action dev="CZ" type="fix" fixes-bug="24093">
      Disable accessing files outside the context via the context protocol.
    </action> 
 

<snip/>

          // Remove the protocol and the first '/'
 -        int pos = location.indexOf(":/");
 -        String path = location.substring(pos+1);
 +        final int pos = location.indexOf(":/");
 +        final String path = location.substring(pos+1);
 +        
 +        // fix for #24093, we don't give access to files outside the context:
 +        if ( path.indexOf("../") != -1 ) {
 +            throw new MalformedURLException("Invalid path ('../' is not allowed) : " + path);
 +        }
 

Isn't this way of checking too strict? We can have perfectly valid cases 
where one concatenates a base "context://foo/bar/" base URI with a 
"../baz" relative path.

Sylvain

--
Sylvain Wallez                                  Anyware Technologies
http://www.apache.org/~sylvain           http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance  -  http://www.orixo.com