[jira] Commented: (SHINDIG-75) Using a file as url throws ClassCastException

Mon, 18 Feb 2008 15:23:05 -0800 

    [ 
https://issues.apache.org/jira/browse/SHINDIG-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12570047#action_12570047
 ] 

Kevin Brown commented on SHINDIG-75:
------------------------------------

Shindig should reject any requests for non-http protocols (except for possibly 
loading local gadgets, but that is a special case that requires a different 
implementation, most likely by putting a special directory in place). We 
certainly do not want users being able to request arbitrary data from the file 
system -- that's a major security vulnerability.



> Using a file as url throws ClassCastException 
> ----------------------------------------------
>
>                 Key: SHINDIG-75
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-75
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadgets Server - Java
>         Environment: r628486
>            Reporter: Vincent Siveton
>            Assignee: John Hjelmstad
>         Attachments: SHINDIG-75.diff
>
>
> Try to call http://localhost:8080/gadgets/ifr?url=file:///C:/todo.xml
> You should get:
> {noformat}
> INFO: Failed to render gadget
> org.apache.shindig.gadgets.GadgetException: java.lang.ClassCastException: 
> sun.net.www.protocol.file.FileURLConnection
>         at 
> org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:497)
>         at 
> org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:475)
>         at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:123)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
>         at 
> java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
>         at java.lang.Thread.run(Thread.java:595)
> Caused by: java.lang.ClassCastException: 
> sun.net.www.protocol.file.FileURLConnection
>         at 
> org.apache.shindig.gadgets.BasicRemoteContentFetcher.getConnection(BasicRemoteContentFetcher.java:56)
>         at 
> org.apache.shindig.gadgets.BasicRemoteContentFetcher.fetch(BasicRemoteContentFetcher.java:100)
>         at 
> org.apache.shindig.gadgets.GadgetServer$SpecLoadTask.run(GadgetServer.java:325)
>         at 
> org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:492)
>         ... 6 more
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

Reply via email to