On Thu, 2009-04-09 at 17:50 -0400, Damian Krzeminski wrote: > http://track.sipfoundry.org/browse/XCF-2954 > > Bogdan published his work-in-progress patch for switching sipXconfig > updates to use XML/RPC. He has some questions: I thought that posting on > the list might bring some useful comments: > > Here it is: > > <quoting from Bogdan's update> > > - first of all, i had to modify the HttpServer.cpp in sipXtackLib project > and to bypass some filename uri enforcing. As i saw in code, for security > reasons, the request to retrieve published files that have filenames > containing ".." will fail. But the problem is that the files published by > sipXsupervisor (containing the stdout and stderr of the updates-relative > command invoked) are published with path relative to the BUILD directory, > containing ".." . > > In order to test the functionality of the patch I bypassed the enforcing in > HttpServer.cpp, but i think that the files should be published with their > absolute path rather than relative path.
Being able to pass a unit test is not nearly good enough reason to remove those (important) security checks. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
