You are viewing a plain text version of this content. The canonical link for it is here.
Posted to axis-cvs@ws.apache.org by ga...@apache.org on 2009/03/23 04:17:10 UTC
svn commit: r757306 -
/webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java
Author: gawor
Date: Mon Mar 23 03:17:07 2009
New Revision: 757306
URL: http://svn.apache.org/viewvc?rev=757306&view=rev
Log:
ensure resources can only be loaded from within the directory specified (AXIS2-4282)
Modified:
webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java
Modified: webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java
URL: http://svn.apache.org/viewvc/webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java?rev=757306&r1=757305&r2=757306&view=diff
==============================================================================
--- webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java (original)
+++ webservices/axis2/trunk/java/modules/kernel/src/org/apache/axis2/classloader/DirectoryResourceLocation.java Mon Mar 23 03:17:07 2009
@@ -37,7 +37,7 @@
public ResourceHandle getResourceHandle(String resourceName) {
File file = new File(baseDir, resourceName);
- if (!file.exists()) {
+ if (!file.exists() || !isLocal(file)) {
return null;
}
@@ -49,6 +49,16 @@
}
}
+ private boolean isLocal(File file) {
+ try {
+ String base = baseDir.getCanonicalPath();
+ String relative = file.getCanonicalPath();
+ return (relative.startsWith(base));
+ } catch (IOException e) {
+ return false;
+ }
+ }
+
public Manifest getManifest() throws IOException {
if (!manifestLoaded) {
File manifestFile = new File(baseDir, "META-INF/MANIFEST.MF");