Hello Jeanne, Personally you won't break anything with my projects, but it's only because I fully converted the skin to use the new Trinidad URL system (well it's more Trinidad URL system than new actually). However, preventing the '..' will most likely make the passage between ADF Faces and Trinidad more difficult as '..' was often needed with ADF Faces and background-image within skins. Would it be possible to do your change but if you detect '..', switch to the old code path and log a warning about a deprecated URL usage within the skin? We could offer a grace period until one month or so after JDeveloper 11g get in production maybe? I would use that date because the amount of Trinidad user will most likely get a big boost from old ADF Faces users when JDev 11 is officially released. Also, those new users will most likely have to do the aforementioned conversion.
Regards, ~ Simon On 9/11/07, Jeanne Waldman <[EMAIL PROTECTED]> wrote: > > My main concern is > a. should I simply reject any path with ".." in it as dangerous -or- > > b if the path contains ".." should figure out if it resolves to a path > outside the root and only reject it in that case. > > b is safer, but requires more processing. > > Thanks, > > - Jeanne > > > Jeanne Waldman wrote: > > Hi there, > > I'm about to fix issue: > > https://issues.apache.org/jira/browse/TRINIDAD-703 > > > > snippet from issue: > > > > We register our image resource loader with a fairly loose pattern: > > register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))", > > new CoreClassLoaderResourceLoader(parent)); > > > > In theory could someone get at an image on the class path outside of > > our own > > images by crafting a funky URL along the lines of > > "../../../../oracle/someotherpackage/foo.gif"? Yes. > > ClassLoaderResourceLoader should prevent access outside of the > > "rootPackage". > > > > > > I mention how I am fixing it (disallowing ".." in the path), so please > > comment if you'd like. > > > > Thanks, > > Jeanne > > > > >
