Scott Lawrence wrote: > On Thu, 2009-04-09 at 17:50 -0400, Damian Krzeminski wrote: >> http://track.sipfoundry.org/browse/XCF-2954 >> >> Bogdan published his work-in-progress patch for switching sipXconfig >> updates to use XML/RPC. He has some questions: I thought that posting on >> the list might bring some useful comments: >> >> Here it is: >> >> <quoting from Bogdan's update> >> >> - first of all, i had to modify the HttpServer.cpp in sipXtackLib project >> and to bypass some filename uri enforcing. As i saw in code, for security >> reasons, the request to retrieve published files that have filenames >> containing ".." will fail. But the problem is that the files published by >> sipXsupervisor (containing the stdout and stderr of the updates-relative >> command invoked) are published with path relative to the BUILD directory, >> containing ".." . >> >> In order to test the functionality of the patch I bypassed the enforcing in >> HttpServer.cpp, but i think that the files should be published with their >> absolute path rather than relative path. > > Being able to pass a unit test is not nearly good enough reason to > remove those (important) security checks. > >
Is this really what Bogdan says? I read this as "I changed the HttpServer.cpp temporarily in order to test upgrades" At any rate it would be nice if we could test upgrades in developer environment. If anyone can help with those relative paths it would be appreciated. D. _______________________________________________ sipx-dev mailing list [email protected] List Archive: http://list.sipfoundry.org/archive/sipx-dev Unsubscribe: http://list.sipfoundry.org/mailman/listinfo/sipx-dev
