rootvector2 opened a new pull request, #1227: URL: https://github.com/apache/axis-axis2-java-core/pull/1227
found while auditing the aar deployment path: `addAsWebResources` writes each `WWW/` archive entry through `new File(out, entryName)` without containment, so a crafted aar entry like `WWW/../../evil.jsp` escapes the per-service web resource directory and writes to an arbitrary path; the fix canonicalizes each target and skips entries that resolve outside `out`. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
