[
https://issues.apache.org/jira/browse/TRINIDAD-703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12526624
]
Jeanne Waldman commented on TRINIDAD-703:
-----------------------------------------
In ClassLoaderResoureLoader, I want to add this code to fix the problem:
// if the path has ".." in it, then log an ERROR and return null
if (path.indexOf("..") > -1)
{
_LOG.severe("The resource's path {0} contains \"..\" which is illegal, so
" +
"it will be ignored: ", path);
return null;
}
Please comment if there are any issues with this.
> Make image loading more secure
> ------------------------------
>
> Key: TRINIDAD-703
> URL: https://issues.apache.org/jira/browse/TRINIDAD-703
> Project: MyFaces Trinidad
> Issue Type: Bug
> Reporter: Jeanne Waldman
> Assignee: Jeanne Waldman
>
> Andy Schwartz found this issue:
> We register our image resource loader with a fairly loose pattern:
> register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
> new CoreClassLoaderResourceLoader(parent));
> In theory could someone get at an image on the class path outside of our own
> images by doing crafting a funky URL along the lines of
> "../../../../oracle/someotherpackage/foo.gif"?
> ClassLoaderResourceLoader
> should prevent access outside of the "rootPackage".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
