Henri Gomez wrote: >> This is likely the protection against reading anything outside the >> webapp root (see the "allowLinking" of FileDirContext), although I >> don't know how the digester will try to load the included file. > > > Digester code is derived from XmlMapper which is able to locate entities > in ../../../ directories. > > My concern here is : > > Specs didn't mentions restriction on use of external entities outside > the webapp. > > So it should be granted by default isn't it ? > > I take a look at FileDirContext but I didn't understand what > allowLinking is ? > > So my question is : bug or feature ?
There's a pretty strict check on the canonical path of a resource which I added. I consider it a security feature. I think a webapp should be self contained, so I think it's reasonable to have the check as the default. "allowLinking" disables the check. Don't be lazy, just do a search in FileDirContext ;-) Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
