Craig R. McClanahan wrote:
> Keep in mind that if it works here, it will also would work
> on something like:
>
> InputStream stream =
> getServletContext().getResourceAsStream("../../../etc/passwd");
>
> with some suitable number of ".." depending on where you've got
> Tomcat installed.
And of course, someone could just write
InputStream stream=new FileInputStrea("/etc/passwd") and not
bother with any ...
Same for any other processing done with jdni: URL paths or not.
I agree however that people shouldn't rely on resources outside
a webapplication + relative paths - that's just bad programming
in this environment.
But it has nothing to do with security - the only way to protect
against access to resources is to use a sandbox. If you don't -
_anything_ is possible for the user ( including System.execute("rm -rf /")).
Any restrictions on the grounds that it 'increase security' are
wrong and just give a false sense of security ( which is pretty
dangerous in itself).
I am -1 on fixing this on 3.3 - but +1 on adding some documentation/readme
that using this feature is not portable and will not work on other
containers.
--
Costin
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
