Hi there,
I'm about to fix issue:
https://issues.apache.org/jira/browse/TRINIDAD-703
snippet from issue:
We register our image resource loader with a fairly loose pattern:
register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
new CoreClassLoaderResourceLoader(parent));
In theory could someone get at an image on the class path outside of our own
images by crafting a funky URL along the lines of
"../../../../oracle/someotherpackage/foo.gif"?
Yes.
ClassLoaderResourceLoader should prevent access outside of the "rootPackage".
I mention how I am fixing it (disallowing ".." in the path), so please comment
if you'd like.
Thanks,
Jeanne
