My main concern is
a. should I simply reject any path with ".." in it as dangerous -or-
b if the path contains ".." should figure out if it resolves to a path
outside the root and only reject it in that case.
b is safer, but requires more processing.
Thanks,
- Jeanne
Jeanne Waldman wrote:
Hi there,
I'm about to fix issue:
https://issues.apache.org/jira/browse/TRINIDAD-703
snippet from issue:
We register our image resource loader with a fairly loose pattern:
register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
new CoreClassLoaderResourceLoader(parent));
In theory could someone get at an image on the class path outside of
our own
images by crafting a funky URL along the lines of
"../../../../oracle/someotherpackage/foo.gif"? Yes.
ClassLoaderResourceLoader should prevent access outside of the
"rootPackage".
I mention how I am fixing it (disallowing ".." in the path), so please
comment if you'd like.
Thanks,
Jeanne
