[jira] Resolved: (TRINIDAD-703) Make image loading more secure

Fri, 14 Sep 2007 11:46:57 -0700 

     [ 
https://issues.apache.org/jira/browse/TRINIDAD-703?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jeanne Waldman resolved TRINIDAD-703.
-------------------------------------

    Resolution: Fixed

The code change is in ClassLoaderResourceLoader.java.
LoggerBundle.xrts has 2 new translation strings
The other classes are comment additions

svn Completed: At revision: 575774  
trinidad-api\src\main\java\org\apache\myfaces\trinidad\resource\ClassLoaderResourceLoader.java
  
trinidad-api\src\main\java\org\apache\myfaces\trinidad\resource\RegexResourceLoader.java
  
trinidad-api\src\main\xrts\org\apache\myfaces\trinidad\resource\LoggerBundle.xrts
  
trinidad-impl\src\main\java\org\apache\myfaces\trinidadinternal\resource\CoreClassLoaderResourceLoader.java
  
trinidad-impl\src\main\java\org\apache\myfaces\trinidadinternal\resource\CoreRenderKitResourceLoader.java
  
trinidad-api\src\main\java\org\apache\myfaces\trinidad\resource\ClassLoaderResourceLoader.java
  
trinidad-impl\src\main\java\org\apache\myfaces\trinidadinternal\resource\CoreRenderKitResourceLoader.java
  
trinidad-api\src\main\xrts\org\apache\myfaces\trinidad\resource\LoggerBundle.xrts
  
trinidad-api\src\main\java\org\apache\myfaces\trinidad\resource\RegexResourceLoader.java
  
trinidad-impl\src\main\java\org\apache\myfaces\trinidadinternal\resource\CoreClassLoaderResourceLoader.java
  


> Make image loading more secure
> ------------------------------
>
>                 Key: TRINIDAD-703
>                 URL: https://issues.apache.org/jira/browse/TRINIDAD-703
>             Project: MyFaces Trinidad
>          Issue Type: Bug
>            Reporter: Jeanne Waldman
>            Assignee: Jeanne Waldman
>
> Andy Schwartz found this issue:
> We register our image resource loader with a fairly loose pattern:
>     register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))",
>              new CoreClassLoaderResourceLoader(parent));
> In theory could someone get at an image on the class path outside of our own
> images by doing crafting a funky URL along the lines of
>  "../../../../oracle/someotherpackage/foo.gif"? 
> ClassLoaderResourceLoader
> should prevent access outside of the "rootPackage".

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to