[jira] [Created] (JCRVLT-825) Remove Patch Support (extracting files from packages to filesystem)

Konrad Windszus (Jira) Fri, 24 Oct 2025 07:35:09 -0700

Konrad Windszus created JCRVLT-825:
--------------------------------------

             Summary: Remove Patch Support (extracting files from packages to 
filesystem)
                 Key: JCRVLT-825
                 URL: https://issues.apache.org/jira/browse/JCRVLT-825
             Project: Jackrabbit FileVault
          Issue Type: Improvement
          Components: vlt
            Reporter: Konrad Windszus



The patch handling in 
https://github.com/apache/jackrabbit-filevault/blob/983bdec48b5772d6888d76c1b86899a90de735ef/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java#L1264
 allows to deserialize files from packages to the underlying filesystem.

To enable that one needs to programmatically install the package with the right 
import options. By default this is disabled.

However this mechanism is no longer used and potentially can be abused by 
consumers (via API) to open a way to place something on the filesystem via 
custom package installations. Therefore it should be removed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Created] (JCRVLT-825) Remove Patch Support (extracting files from packages to filesystem)

Reply via email to