[
https://issues.apache.org/jira/browse/KNOX-2643?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17426630#comment-17426630
]
Larry McCay commented on KNOX-2643:
-----------------------------------
Due to upcoming release of 1.6.0 and the need for an incompatible change coming
up for log4j migration, we are moving this out to the 2.0.0 release. As of now,
1.6.0 will be the last 1.x.x release due to the incompatible change. If there
is a critical need for this in 1.6.0 please feel free to move the fixVersion
back to 1.6.0 with a note of justification.
> TopologyService should validate descriptor and provider config file paths
> -------------------------------------------------------------------------
>
> Key: KNOX-2643
> URL: https://issues.apache.org/jira/browse/KNOX-2643
> Project: Apache Knox
> Issue Type: Bug
> Components: Server
> Affects Versions: 1.5.0
> Reporter: Philip Zampino
> Priority: Major
> Fix For: 2.0.0
>
>
> DefaultTopologyService#deployProviderConfiguration andÂ
> DefaultTopologyService#deployDescriptor blindly trust the file name without
> validating that the location will be bound to the expected resource directory
> (e.g., sharedProvidersDirectory, descriptorsDirectory).
> Names that would place the file outside the expected location or intent
> (e.g., ../gateway-site.xml) should be rejected.
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
