You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by Dmitry Gusev <dm...@gmail.com> on 2010/01/19 21:02:59 UTC
Re: Rationale behind the pathPattern regex in the RegexAuthorizer
contribution
Then why not restrict relatives paths only?
Current implementation forbid paths like:
/path/to/file-1.0.0.png
This isn't relative path but it has periods in filename.
On Tue, Jan 19, 2010 at 20:45, Robert Zeigler <ro...@scazdl.org> wrote:
> To avoid attempts at circumventing restrictions via relative path
> specifications:
> /path/to/available/resource/../../../../path/to/secure/resource
>
> Some (most? all?) browsers will kindly get rid of the relative path
> reference from the request, but it's certainly possible via, eg, curl, wget,
> etc. to craft such a request. Since we're not actually resolving the asset
> and determining the absolute location, only looking at the requested path
> via regex, it's prudent to deter such attempts.
>
> Robert
>
>
> On Jan 19, 2010, at 1/194:26 AM , Ulrich Stärk wrote:
>
> What was the rationale behind not allowing dots in the path part of the
>> URL and additional dots in the filename?
>>
>> Are there any objections against allowing them?
>>
>> Uli
>>
>> ---------------------------------------------------------------------
>> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
>> For additional commands, e-mail: dev-help@tapestry.apache.org
>>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
> For additional commands, e-mail: dev-help@tapestry.apache.org
>
>
--
Dmitry Gusev
AnjLab Team
http://anjlab.com