Make image loading more secure
------------------------------
Key: TRINIDAD-703
URL: https://issues.apache.org/jira/browse/TRINIDAD-703
Project: MyFaces Trinidad
Issue Type: Bug
Reporter: Jeanne Waldman
Assignee: Jeanne Waldman
Andy Schwartz found this issue:
We register our image resource loader with a fairly loose pattern:
register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
new CoreClassLoaderResourceLoader(parent));
In theory could someone get at an image on the class path outside of our own
images by doing crafting a funky URL along the lines of
"../../../../oracle/someotherpackage/foo.gif"?
ClassLoaderResourceLoader
should prevent access outside of the "rootPackage".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
