Craig R. McClanahan wrote: > Keep in mind that if it works here, it will also would work > on something like: > > InputStream stream = > getServletContext().getResourceAsStream("../../../etc/passwd"); > > with some suitable number of ".." depending on where you've got > Tomcat installed.
And of course, someone could just write InputStream stream=new FileInputStrea("/etc/passwd") and not bother with any ... Same for any other processing done with jdni: URL paths or not. I agree however that people shouldn't rely on resources outside a webapplication + relative paths - that's just bad programming in this environment. But it has nothing to do with security - the only way to protect against access to resources is to use a sandbox. If you don't - _anything_ is possible for the user ( including System.execute("rm -rf /")). Any restrictions on the grounds that it 'increase security' are wrong and just give a false sense of security ( which is pretty dangerous in itself). I am -1 on fixing this on 3.3 - but +1 on adding some documentation/readme that using this feature is not portable and will not work on other containers. -- Costin -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>