You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@shindig.apache.org by "Vincent Siveton (JIRA)" <ji...@apache.org> on 2008/02/17 13:44:36 UTC

[jira] Created: (SHINDIG-75) Using a file as url throws ClassCastException

Using a file as url throws ClassCastException 
----------------------------------------------

                 Key: SHINDIG-75
                 URL: https://issues.apache.org/jira/browse/SHINDIG-75
             Project: Shindig
          Issue Type: Bug
          Components: Gadgets Server - Java
         Environment: r628486
            Reporter: Vincent Siveton
            Assignee: John Hjelmstad
         Attachments: SHINDIG-75.diff

Try to call http://localhost:8080/gadgets/ifr?url=file:///C:/todo.xml
You should get:
{noformat}
INFO: Failed to render gadget
org.apache.shindig.gadgets.GadgetException: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
        at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:497)
        at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:475)
        at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
        at java.util.concurrent.FutureTask.run(FutureTask.java:123)
        at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
        at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
        at java.lang.Thread.run(Thread.java:595)
Caused by: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
        at org.apache.shindig.gadgets.BasicRemoteContentFetcher.getConnection(BasicRemoteContentFetcher.java:56)
        at org.apache.shindig.gadgets.BasicRemoteContentFetcher.fetch(BasicRemoteContentFetcher.java:100)
        at org.apache.shindig.gadgets.GadgetServer$SpecLoadTask.run(GadgetServer.java:325)
        at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:492)
        ... 6 more
{noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Commented: (SHINDIG-75) Using a file as url throws ClassCastException

Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.

    [ https://issues.apache.org/jira/browse/SHINDIG-75?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12570047#action_12570047 ] 

Kevin Brown commented on SHINDIG-75:
------------------------------------

Shindig should reject any requests for non-http protocols (except for possibly loading local gadgets, but that is a special case that requires a different implementation, most likely by putting a special directory in place). We certainly do not want users being able to request arbitrary data from the file system -- that's a major security vulnerability.



> Using a file as url throws ClassCastException 
> ----------------------------------------------
>
>                 Key: SHINDIG-75
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-75
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadgets Server - Java
>         Environment: r628486
>            Reporter: Vincent Siveton
>            Assignee: John Hjelmstad
>         Attachments: SHINDIG-75.diff
>
>
> Try to call http://localhost:8080/gadgets/ifr?url=file:///C:/todo.xml
> You should get:
> {noformat}
> INFO: Failed to render gadget
> org.apache.shindig.gadgets.GadgetException: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:497)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:475)
>         at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:123)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
>         at java.lang.Thread.run(Thread.java:595)
> Caused by: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.getConnection(BasicRemoteContentFetcher.java:56)
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.fetch(BasicRemoteContentFetcher.java:100)
>         at org.apache.shindig.gadgets.GadgetServer$SpecLoadTask.run(GadgetServer.java:325)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:492)
>         ... 6 more
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Updated: (SHINDIG-75) Using a file as url throws ClassCastException

Posted by "Vincent Siveton (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-75?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Vincent Siveton updated SHINDIG-75:
-----------------------------------

    Attachment: SHINDIG-75.diff

Here is a patch that takes care of file protocol

> Using a file as url throws ClassCastException 
> ----------------------------------------------
>
>                 Key: SHINDIG-75
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-75
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadgets Server - Java
>         Environment: r628486
>            Reporter: Vincent Siveton
>            Assignee: John Hjelmstad
>         Attachments: SHINDIG-75.diff
>
>
> Try to call http://localhost:8080/gadgets/ifr?url=file:///C:/todo.xml
> You should get:
> {noformat}
> INFO: Failed to render gadget
> org.apache.shindig.gadgets.GadgetException: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:497)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:475)
>         at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:123)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
>         at java.lang.Thread.run(Thread.java:595)
> Caused by: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.getConnection(BasicRemoteContentFetcher.java:56)
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.fetch(BasicRemoteContentFetcher.java:100)
>         at org.apache.shindig.gadgets.GadgetServer$SpecLoadTask.run(GadgetServer.java:325)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:492)
>         ... 6 more
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.

[jira] Closed: (SHINDIG-75) Using a file as url throws ClassCastException

Posted by "Kevin Brown (JIRA)" <ji...@apache.org>.

     [ https://issues.apache.org/jira/browse/SHINDIG-75?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Kevin Brown closed SHINDIG-75.
------------------------------

    Resolution: Fixed

No longer an issue since we require url to be http or https scheme now. To be determined whether or not we should support other file loading mechanisms such as local file system resources.

> Using a file as url throws ClassCastException 
> ----------------------------------------------
>
>                 Key: SHINDIG-75
>                 URL: https://issues.apache.org/jira/browse/SHINDIG-75
>             Project: Shindig
>          Issue Type: Bug
>          Components: Gadgets Server - Java
>         Environment: r628486
>            Reporter: Vincent Siveton
>            Assignee: John Hjelmstad
>         Attachments: SHINDIG-75.diff
>
>
> Try to call http://localhost:8080/gadgets/ifr?url=file:///C:/todo.xml
> You should get:
> {noformat}
> INFO: Failed to render gadget
> org.apache.shindig.gadgets.GadgetException: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:497)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:475)
>         at java.util.concurrent.FutureTask$Sync.innerRun(FutureTask.java:269)
>         at java.util.concurrent.FutureTask.run(FutureTask.java:123)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(ThreadPoolExecutor.java:650)
>         at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:675)
>         at java.lang.Thread.run(Thread.java:595)
> Caused by: java.lang.ClassCastException: sun.net.www.protocol.file.FileURLConnection
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.getConnection(BasicRemoteContentFetcher.java:56)
>         at org.apache.shindig.gadgets.BasicRemoteContentFetcher.fetch(BasicRemoteContentFetcher.java:100)
>         at org.apache.shindig.gadgets.GadgetServer$SpecLoadTask.run(GadgetServer.java:325)
>         at org.apache.shindig.gadgets.GadgetServer$WorkflowTask.call(GadgetServer.java:492)
>         ... 6 more
> {noformat}

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.