[jira] [Assigned] (JCRVLT-825) Remove Patch Support (extracting files from packages to filesystem)

Konrad Windszus (Jira) Fri, 24 Oct 2025 07:39:25 -0700


     [ 
https://issues.apache.org/jira/browse/JCRVLT-825?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]


Konrad Windszus reassigned JCRVLT-825:
--------------------------------------

    Assignee: Konrad Windszus

> Remove Patch Support (extracting files from packages to filesystem)
> -------------------------------------------------------------------
>
>                 Key: JCRVLT-825
>                 URL: https://issues.apache.org/jira/browse/JCRVLT-825
>             Project: Jackrabbit FileVault
>          Issue Type: Improvement
>          Components: vlt
>    Affects Versions: 4.1.4
>            Reporter: Konrad Windszus
>            Assignee: Konrad Windszus
>            Priority: Major
>
> The patch handling in 
> https://github.com/apache/jackrabbit-filevault/blob/983bdec48b5772d6888d76c1b86899a90de735ef/vault-core/src/main/java/org/apache/jackrabbit/vault/fs/io/Importer.java#L1264
>  allows to deserialize files from packages to the underlying filesystem.
> To enable that one needs to programmatically install the package with the 
> right import options. By default this is disabled.
> However this mechanism is no longer used and potentially can be abused by 
> consumers (via API) to open a way to place something on the filesystem via 
> custom package installations. Therefore it should be removed.



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

[jira] [Assigned] (JCRVLT-825) Remove Patch Support (extracting files from packages to filesystem)

Reply via email to