You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@avalon.apache.org by bu...@apache.org on 2003/07/08 09:45:52 UTC
DO NOT REPLY [Bug 21395] New: -
[PATCH] don't normalize away /foo/.. for files as foo may be a symlink
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND
INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=21395
[PATCH] don't normalize away /foo/.. for files as foo may be a symlink
Summary: [PATCH] don't normalize away /foo/.. for files as foo
may be a symlink
Product: Avalon
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: Blocker
Priority: Other
Component: Excalibur
AssignedTo: dev@avalon.apache.org
ReportedBy: Alfred.Nathaniel@swx.com
Normalizing away /foo/.. must not be done for file-URLs because it changes the
semantics if foo is a symbolic link.
Here is the patch wrt to revision 1.11 of excalibur.source.SourceUtil.java:
Index: SourceUtil.java
===================================================================
RCS file: /home/repository/eservices/cocoon-
2.1/src/java/org/apache/excalibur/source/SourceUtil.java,v
retrieving revision 1.1.1.1
diff -u -r1.1.1.1 SourceUtil.java
--- SourceUtil.java 2003/07/08 06:58:13 1.1.1.1
+++ SourceUtil.java 2003/07/08 07:26:39
@@ -557,9 +557,11 @@
// combine the 2 paths
String path = stripLastSegment(url1Path);
path = path + (path.endsWith("/") ? "" : "/") + url2Path;
- path = normalize(path);
- return makeUrl(url1Parts[SCHEME], url1Parts[AUTHORITY], path, url2Parts
[QUERY], url2Parts[FRAGMENT]);
+ String scheme = url1Parts[SCHEME];
+ path = normalize(path, scheme);
+
+ return makeUrl(scheme, url1Parts[AUTHORITY], path, url2Parts[QUERY],
url2Parts[FRAGMENT]);
}
/**
@@ -582,9 +584,10 @@
String path = stripLastSegment(path1);
path = path + (path.endsWith("/") ? "" : "/") + path2;
- path = normalize(path);
String scheme = url1Parts[SCHEME];
+ path = normalize(path, scheme);
+
return scheme + ":" + path;
}
@@ -600,7 +603,7 @@
* Removes things like <segment>/../ or ./, as described in RFC 2396
in
* step 6 of section 5.2.
*/
- private static String normalize(String path)
+ private static String normalize(String path, String scheme)
{
// replace all /./ with /
int i = path.indexOf("/./");
@@ -612,6 +615,10 @@
if (path.endsWith("/."))
path = path.substring(0, path.length() - 1);
+
+ // don't normalize away /foo/.. for files as foo may be a symlink
+ if ("file".equals(scheme))
+ return path;
int f = path.indexOf("/../");
while (f > 0)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@avalon.apache.org
For additional commands, e-mail: dev-help@avalon.apache.org
RE: DO NOT REPLY [Bug 21395] New: - [PATCH] don't normalize away /foo/.. for files as foo may be a symlink
Posted by Leo Sutic <le...@inspireinfrastructure.com>.
The normalizing is done for security reasons to avoid unrestricted
directory traversal. -1 on the proposed change.
/LS
> From: bugzilla@apache.org [mailto:bugzilla@apache.org]
> Subject: DO NOT REPLY [Bug 21395] New: - [PATCH] don't
> normalize away /foo/.. for files as foo may be a symlink
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@avalon.apache.org
For additional commands, e-mail: dev-help@avalon.apache.org