You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@cordova.apache.org by "ASF subversion and git services (JIRA)" <ji...@apache.org> on 2014/01/31 23:00:09 UTC

[jira] [Commented] (CB-5960) File API mishandles relative URLs that traverse directories above the FS root

    [ https://issues.apache.org/jira/browse/CB-5960?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13888216#comment-13888216 ] 

ASF subversion and git services commented on CB-5960:
-----------------------------------------------------

Commit c04c25c22837d1da560d69b5fbe10bd34aae1037 in branch refs/heads/master from [~iclelland]
[ https://git-wip-us.apache.org/repos/asf?p=cordova-mobile-spec.git;h=c04c25c ]

CB-5960: Validate handling of parent references in file api


> File API mishandles relative URLs that traverse directories above the FS root
> -----------------------------------------------------------------------------
>
>                 Key: CB-5960
>                 URL: https://issues.apache.org/jira/browse/CB-5960
>             Project: Apache Cordova
>          Issue Type: Bug
>            Reporter: Ian Clelland
>
> Filesystem URLs should not be able to use ".." path components to reach outside of their sandbox. From the File API, ".." relative to a path resolves to the paths parent directory, and the parent directory of the filesystem root is itself.
> So, if {{root}} is a DirectoryEntry representing the root of a filesystem, then
> {code}
> root.getFile("../file.txt", ...);
> {code}
> and
> {code}
> root.getFile("/file.txt", ...);
> {code}
> should resolve to the same file.
> {code}
> root.getDirectory("subdir_a/subdir_b", function(entry) {
>     entry.getFile("../file.txt", ...);
> }, ...);
> {code}
> should resolve to "/subdir_a/file.txt"



--
This message was sent by Atlassian JIRA
(v6.1.5#6160)