DirectoryResourceLoader doesn't restrict access outside the root directory like
it advertises
---------------------------------------------------------------------------------------------
Key: TRINIDAD-705
URL: https://issues.apache.org/jira/browse/TRINIDAD-705
Project: MyFaces Trinidad
Issue Type: Bug
Reporter: Jeanne Waldman
Assignee: Jeanne Waldman
In DirectoryResourceLoader this code that does not do what it is intended to do:
* A resource loader implementation which loads resources
* from a directory. The returned resource URL will be null
* for file resources that do not exist, or for relative paths
* that attempt to access paths outside the root directory.
// "root" directory path should always be less than the file path
boolean isContained = (_directory.compareTo(file) <= 0);
I want to change this to compare canonical paths:
// file path should contain the "root" directory path, not be outside it
boolean isContained = file.getCanonicalPath().startsWith(_directoryPath);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
