Hi Simon,
Very good point. I have seen skin's have ".." in the background-image
path. I forgot about that.
The reason for fixing this issue is that we feel it is a security issue
if the use of the ".." in the path is such that the path goes outside
of the 'root'.
If I switch to the old code path and log a warning about the deprecated
URL usage, then the security issue will still exist.
It sounds like to fix the issue correctly, I'll have to make sure if
the path contains ".." that the path doesn't take us outside the root.
e.g.,
foo/bar/../../zoo/../.. -> takes you outside root.
A side note -- I found a bug in the DirectoryResourceLoader where it
was allowing paths outside the root directory, even though the comment
said that it wasn't. I can fix that easily, and I will log a separate
issue and fix that since it isn't controversial.
Thanks again for your comments,
- Jeanne
Simon Lessard wrote:
Hello Jeanne,
Personally you won't break anything with my projects, but it's only
because I fully converted the skin to use the new Trinidad URL system
(well it's more Trinidad URL system than new actually). However,
preventing the '..' will most likely make the passage between ADF Faces
and Trinidad more difficult as '..' was often needed with ADF Faces and
background-image within skins. Would it be possible to do your change
but if you detect '..', switch to the old code path and log a warning
about a deprecated URL usage within the skin? We could offer a grace
period until one month or so after JDeveloper 11g get in production
maybe? I would use that date because the amount of Trinidad user will
most likely get a big boost from old ADF Faces users when JDev 11 is
officially released. Also, those new users will most likely have to do
the aforementioned conversion.
Regards,
~ Simon
On 9/11/07, Jeanne Waldman <[EMAIL PROTECTED]>
wrote:
My
main concern is
a. should I simply reject any path with ".." in it as dangerous -or-
b if the path contains ".." should figure out if it resolves to a path
outside the root and only reject it in that case.
b is safer, but requires more processing.
Thanks,
- Jeanne
Jeanne Waldman wrote:
> Hi there,
> I'm about to fix issue:
> https://issues.apache.org/jira/browse/TRINIDAD-703
>
> snippet from issue:
>
> We register our image resource loader with a fairly loose pattern:
> register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
> new CoreClassLoaderResourceLoader(parent));
>
> In theory could someone get at an image on the class path outside
of
> our own
> images by crafting a funky URL along the lines of
> "../../../../oracle/someotherpackage/foo.gif"? Yes.
> ClassLoaderResourceLoader should prevent access outside of the
> "rootPackage".
>
>
> I mention how I am fixing it (disallowing ".." in the path), so
please
> comment if you'd like.
>
> Thanks,
> Jeanne
>
>
|
