Stephan Hesmer wrote:
>
> There is possibly a new bug in Jetspeed, due to the changes to EngineContext
> and JetspeedServlet.
>
> The new getResource function in EngineContext returns an url to a resource
> on the server, which is normally local. For example:
> It returns "file:D:\jakarta-tomcat\webapps\ROOT/content/psml/default.psml"
> for "/content/psml/default.psml"
>
Some bugs are corrected in the upcoming EngineContext service, but I think
most of your issues will stay...
> This causes several problems:
> * the RSS portlet is not running anymore (in my case the Jetspeed portlet),
> and
The Jetspeed portlet is not RSS, it's jetspeed content. This works on my
machine so I believe this is already fixed in the EngineContext service.
> * the url is not considered as local from Jetspeed (Jetspeed it looking for
> "file://")
>
> While changing and testing it on my PC, I discovered several code pieces,
> which do not make sense or I simply do not understand:
> * PortletFactory
> //make sure that no one tries to instantiate a portlet with a file
> URL
> if ( pc.getURL() != null && pc.getURL().indexOf( "file://" ) == 0 )
> {
> String message = "Local URLs not served through HTTP to prevent
> security holes: " + pc.getURL();
> Log.error( message );
> throw new PortletException( message );
> }
> ok, before modifying EngineContext a local URL was represented by
> "http://localhost:port/..." . But now, it is something like "file:D:/....".
> So, do we have luck that we are asking here for "file://" ? Surely, we can
> not rely on that information, because other servers than Tomcat could return
> "file://".
> On the other side, we will get a problem when fixing this code... nearly
> every portlet is rejected and therefore not displayed
>
IMO, we should accept any URL in the PortletFactory and not filter out 'file:'
URLs.
Why ? because every URL the PortletFactory sees is "trusted" since it
can only be registered by the administrator or the feed daemon, users never
specify themselves their URLs.
I think it's safe to always trust the administrator configured file since if
someone unauthorized can modify this file, it's most likely he can modify the
system in other ways that would create unsecured access to local files.
However the Feed Daemon should filter which URLs it accepts to prevent bogus
feeds from creating security issues.
> * JetspeedDiskCache
> //attempt to see if the user didn't specify a URL if they didn't
> then
> //assume it is localhost with the servlet port
> if ( DiskCacheUtils.isLocal( url ) &&
> url.indexOf("file://") == -1 ) {
> Why do we ask here for isLocal and forbid "file://" ? Someone who knows this
> code better than me?
>
> * DiskCacheUtils
> In this file you can find the isLocal function, which asks for "file://"....
> do I have to say anymore?
>
Nope. I've tried to understand to JetspeedDiskCache system when working on
the URLManager and pretty quickly became very confused about the way it works.
Santiago seems to have got it hawever since I saw a lot of patches done by
him in these files.
I'm just waiting for his clean-up of this component...
>
> I think, that Jetspeed needs to recognize this type of URL (file:D:/...) as
> local, and therefore we have to change the files I mentioned above. Does
> anybody know who wrote or modified the files or who is working on the
> isLocal stuff?
>
+1 for the change.
I think Santiago or Kevin are the one who can help you on this subject.
--
Rapha�l Luta - [EMAIL PROTECTED]
--
--------------------------------------------------------------
Please read the FAQ! <http://java.apache.org/faq/>
To subscribe: [EMAIL PROTECTED]
To unsubscribe: [EMAIL PROTECTED]
Archives and Other: <http://marc.theaimsgroup.com/?l=jetspeed>
Problems?: [EMAIL PROTECTED]
