You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@myfaces.apache.org by "Jeanne Waldman (JIRA)" <de...@myfaces.apache.org> on 2007/09/12 20:00:32 UTC
[jira] Resolved: (TRINIDAD-705) DirectoryResourceLoader doesn't
restrict access outside the root directory like it advertises
[ https://issues.apache.org/jira/browse/TRINIDAD-705?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jeanne Waldman resolved TRINIDAD-705.
-------------------------------------
Resolution: Fixed
SVN on trunk 575024
> DirectoryResourceLoader doesn't restrict access outside the root directory like it advertises
> ---------------------------------------------------------------------------------------------
>
> Key: TRINIDAD-705
> URL: https://issues.apache.org/jira/browse/TRINIDAD-705
> Project: MyFaces Trinidad
> Issue Type: Bug
> Reporter: Jeanne Waldman
> Assignee: Jeanne Waldman
>
> In DirectoryResourceLoader this code that does not do what it is intended to do:
> * A resource loader implementation which loads resources
> * from a directory. The returned resource URL will be null
> * for file resources that do not exist, or for relative paths
> * that attempt to access paths outside the root directory.
> // "root" directory path should always be less than the file path
> boolean isContained = (_directory.compareTo(file) <= 0);
> I want to change this to compare canonical paths:
> // file path should contain the "root" directory path, not be outside it
> boolean isContained = file.getCanonicalPath().startsWith(_directoryPath);
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.