I tried it, and it resolves out the "..". It doesn't call
ClassLoaderResourceLoader.
This is what I tried:
In purple skin:
af|selectOrderShuttle::reorder-bottom-icon {
background-image: url('../../adf/images/tab3-start-selected.gif');
width: 16px;
height: 16px;
}
and it is this in the css file:
.af_selectOrderShuttle_reorder-bottom-icon {
background-image:url(/trinidad-demo-context-root/adf/images/tab3-start-selected.gif);
width:16px;height:16px}
It resolves it in CSSUtils getAbsoluteURIValue, and ah, I see it makes sure it isn't outside the root
and this is the message when I test it.
Sep 12, 2007 9:43:38 AM org.apache.myfaces.trinidadinternal.style.util.CSSUtils getAbsoluteURIValue
WARNING: Invalid image uri '../../../../../../../../Temp/ImagesAndHTMLForMySkinningDocuments/iconAPI.png' in style sheet 'skins/purple/purpleSkin.css'
So, it seems like I can create code like the getAbsoluteURIValue in the ClassLoaderRL, or put this in a utility class.
- Jeanne
Simon Lessard wrote:
Well, I no longer use those with Trinidad so I'm not sure
about it, but with ADF Faces the resulting CSS still contains '..'
~ Simon
On 9/12/07,
Adam Winer <[EMAIL PROTECTED]>
wrote:
Do
such URLs in skins actually result in incoming URLs containing
"..", or does it get resolved out when we generate the .css?
-- Adam
On 9/12/07, Jeanne Waldman <[EMAIL PROTECTED]>
wrote:
>
> Hi Simon,
>
> Very good point. I have seen skin's have ".." in the
background-image path.
> I forgot about that.
>
> The reason for fixing this issue is that we feel it is a security
issue if
> the use of the ".." in the path is such that the path goes outside
of the
> 'root'.
>
> If I switch to the old code path and log a warning about the
deprecated URL
> usage, then the security issue will still exist.
> It sounds like to fix the issue correctly, I'll have to make sure
if the
> path contains ".." that the path doesn't take us outside the root.
e.g.,
> foo/bar/../../zoo/../.. -> takes you outside root.
>
> A side note -- I found a bug in the DirectoryResourceLoader where
it was
> allowing paths outside the root directory, even though the comment
> said that it wasn't. I can fix that easily, and I will log a
separate issue
> and fix that since it isn't controversial.
>
> Thanks again for your comments,
> - Jeanne
>
>
> Simon Lessard wrote:
> Hello Jeanne,
>
> Personally you won't break anything with my projects, but it's
only because
> I fully converted the skin to use the new Trinidad URL system
(well it's
> more Trinidad URL system than new actually). However, preventing
the '..'
> will most likely make the passage between ADF Faces and Trinidad
more
> difficult as '..' was often needed with ADF Faces and
background-image
> within skins. Would it be possible to do your change but if you
detect '..',
> switch to the old code path and log a warning about a deprecated
URL usage
> within the skin? We could offer a grace period until one month or
so after
> JDeveloper 11g get in production maybe? I would use that date
because the
> amount of Trinidad user will most likely get a big boost from old
ADF Faces
> users when JDev 11 is officially released. Also, those new users
will most
> likely have to do the aforementioned conversion.
>
>
> Regards,
>
> ~ Simon
>
>
> On 9/11/07, Jeanne Waldman <
[EMAIL PROTECTED]>
wrote:
> > My main concern is
> > a. should I simply reject any path with ".." in it as
dangerous -or-
> >
> > b if the path contains ".." should figure out if it resolves
to a path
> > outside the root and only reject it in that case.
> >
> > b is safer, but requires more processing.
> >
> > Thanks,
> >
> > - Jeanne
> >
> >
> > Jeanne Waldman wrote:
> > > Hi there,
> > > I'm about to fix issue:
> > > https://issues.apache.org/jira/browse/TRINIDAD-703
> > >
> > > snippet from issue:
> > >
> > > We register our image resource loader with a fairly
loose pattern:
> > > register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
> > > new CoreClassLoaderResourceLoader(parent));
> > >
> > > In theory could someone get at an image on the class
path outside of
> > > our own
> > > images by crafting a funky URL along the lines of
> > > "../../../../oracle/someotherpackage/foo.gif"? Yes.
> > > ClassLoaderResourceLoader should prevent access outside
of the
> > > "rootPackage".
> > >
> > >
> > > I mention how I am fixing it (disallowing ".." in the
path), so please
> > > comment if you'd like.
> > >
> > > Thanks,
> > > Jeanne
> > >
> > >
> >
>
>
|
