On Fri, 2003-11-14 at 15:11, Carsten Ziegeler wrote:
> Sylvain Wallez wrote:
> >
> > > // Remove the protocol and the first '/'
> > > - int pos = location.indexOf(":/");
> > > - String path = location.substring(pos+1);
> > > + final int pos = location.indexOf(":/");
> > > + final String path = location.substring(pos+1);
> > > +
> > > + // fix for #24093, we don't give access to files
> > outside the context:
> > > + if ( path.indexOf("../") != -1 ) {
> > > + throw new MalformedURLException("Invalid path
> > ('../' is not allowed) : " + path);
> > > + }
> > >
> > >
> >
> > Isn't this way of checking too strict? We can have perfectly valid cases
> > where one concatenates a base "context://foo/bar/" base URI with a
> > "../baz" relative path.
> >
> Hmmm, who does such nice things?
The one who does such nice things should use the method
SourceResolver.resolve(String location, String base, Map parameters)
instead of concatenating the two strings.
> Ok, but you're right - don't we have a URL mangler somewhere that does
> this for us?
The SourceResolver does all that.
--
Bruno Dumon http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
[EMAIL PROTECTED] [EMAIL PROTECTED]
