[
https://issues.apache.org/jira/browse/TRINIDAD-703?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12526658
]
Jeanne Waldman commented on TRINIDAD-703:
-----------------------------------------
Will I break anyone if I reject any paths that have .. in them rather than
figuring out what the entire path with '..' resolve to and make sure it is
still under the root?
> Make image loading more secure
> ------------------------------
>
> Key: TRINIDAD-703
> URL: https://issues.apache.org/jira/browse/TRINIDAD-703
> Project: MyFaces Trinidad
> Issue Type: Bug
> Reporter: Jeanne Waldman
> Assignee: Jeanne Waldman
>
> Andy Schwartz found this issue:
> We register our image resource loader with a fairly loose pattern:
> register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
> new CoreClassLoaderResourceLoader(parent));
> In theory could someone get at an image on the class path outside of our own
> images by doing crafting a funky URL along the lines of
> "../../../../oracle/someotherpackage/foo.gif"?
> ClassLoaderResourceLoader
> should prevent access outside of the "rootPackage".
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
