Sylvain Wallez wrote:
>
> > // Remove the protocol and the first '/'
> > - int pos = location.indexOf(":/");
> > - String path = location.substring(pos+1);
> > + final int pos = location.indexOf(":/");
> > + final String path = location.substring(pos+1);
> > +
> > + // fix for #24093, we don't give access to files
> outside the context:
> > + if ( path.indexOf("../") != -1 ) {
> > + throw new MalformedURLException("Invalid path
> ('../' is not allowed) : " + path);
> > + }
> >
> >
>
> Isn't this way of checking too strict? We can have perfectly valid cases
> where one concatenates a base "context://foo/bar/" base URI with a
> "../baz" relative path.
>
Hmmm, who does such nice things?
Ok, but you're right - don't we have a URL mangler somewhere that does
this for us?
Carsten
