[
https://issues.apache.org/jira/browse/TRINIDAD-703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12526623
]
Jeanne Waldman commented on TRINIDAD-703:
-----------------------------------------
I also noticed in DirectoryResourceLoader this code that does not do what it is
intended to do:
* A resource loader implementation which loads resources
* from a directory. The returned resource URL will be null
* for file resources that do not exist, or for relative paths
* that attempt to access paths outside the root directory.
// "root" directory path should always be less than the file path
boolean isContained = (_directory.compareTo(file) <= 0);
I want to change this to compare canonical paths:
// file path should contain the "root" directory path, not be outside it
boolean isContained = file.getCanonicalPath().startsWith(_directoryPath);
> Make image loading more secure
> ------------------------------
>
> Key: TRINIDAD-703
> URL: https://issues.apache.org/jira/browse/TRINIDAD-703
> Project: MyFaces Trinidad
> Issue Type: Bug
> Reporter: Jeanne Waldman
> Assignee: Jeanne Waldman
>
> Andy Schwartz found this issue:
> We register our image resource loader with a fairly loose pattern:
> register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
> new CoreClassLoaderResourceLoader(parent));
> In theory could someone get at an image on the class path outside of our own
> images by doing crafting a funky URL along the lines of
> "../../../../oracle/someotherpackage/foo.gif"?
> ClassLoaderResourceLoader
> should prevent access outside of the "rootPackage".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
