You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@cocoon.apache.org by Sylvain Wallez <sy...@apache.org> on 2003/11/14 14:58:34 UTC
Re: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl
ContextSourceFactory.java
cziegeler@apache.org wrote:
>cziegeler 2003/11/14 05:02:09
>
> Modified: . status.xml
> src/java/org/apache/cocoon/components/source/impl
> ContextSourceFactory.java
> Log:
> <action dev="CZ" type="fix" fixes-bug="24093">
> Disable accessing files outside the context via the context protocol.
> </action>
>
>
<snip/>
> // Remove the protocol and the first '/'
> - int pos = location.indexOf(":/");
> - String path = location.substring(pos+1);
> + final int pos = location.indexOf(":/");
> + final String path = location.substring(pos+1);
> +
> + // fix for #24093, we don't give access to files outside the context:
> + if ( path.indexOf("../") != -1 ) {
> + throw new MalformedURLException("Invalid path ('../' is not allowed) : " + path);
> + }
>
>
Isn't this way of checking too strict? We can have perfectly valid cases
where one concatenates a base "context://foo/bar/" base URI with a
"../baz" relative path.
Sylvain
--
Sylvain Wallez Anyware Technologies
http://www.apache.org/~sylvain http://www.anyware-tech.com
{ XML, Java, Cocoon, OpenSource }*{ Training, Consulting, Projects }
Orixo, the opensource XML business alliance - http://www.orixo.com
Re: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl
ContextSourceFactory.java
Posted by Upayavira <uv...@upaya.co.uk>.
Carsten Ziegeler wrote:
>Sylvain Wallez wrote:
>
>
>>> // Remove the protocol and the first '/'
>>> - int pos = location.indexOf(":/");
>>> - String path = location.substring(pos+1);
>>> + final int pos = location.indexOf(":/");
>>> + final String path = location.substring(pos+1);
>>> +
>>> + // fix for #24093, we don't give access to files
>>>
>>>
>>outside the context:
>>
>>
>>> + if ( path.indexOf("../") != -1 ) {
>>> + throw new MalformedURLException("Invalid path
>>>
>>>
>>('../' is not allowed) : " + path);
>>
>>
>>> + }
>>>
>>>
>>>
>>>
>>Isn't this way of checking too strict? We can have perfectly valid cases
>>where one concatenates a base "context://foo/bar/" base URI with a
>>"../baz" relative path.
>>
>>
>>
>Hmmm, who does such nice things?
>Ok, but you're right - don't we have a URL mangler somewhere that does
>this for us?
>
>Carsten
>
>
IIRC NetUtils.normalize() will remove any .. from a URL. It splits on /,
so it can handle a context: protocol, but how it deals with .. at the
beginning of a URL I can't work out immediately. If it doesn't, it
shouldn't be hard to patch it to work appropriately.
Don't know if this is relevent.
Regards, Upayavira
RE: cvs commit:cocoon-2.1/src/java/org/apache/cocoon/components/source/implContextSourceFactory.java
Posted by Carsten Ziegeler <cz...@s-und-n.de>.
Bruno Dumon wrote:
> > >
> > Hmmm, who does such nice things?
>
> The one who does such nice things should use the method
> SourceResolver.resolve(String location, String base, Map parameters)
> instead of concatenating the two strings.
>
> > Ok, but you're right - don't we have a URL mangler somewhere that does
> > this for us?
>
> The SourceResolver does all that.
>
The problem is a little bit different, we don't absolutize the urls
ourselfes, this is done by the servlet context. So we pass a
"hallo/../../this.xml" to the context.
And we want to check before we pass this path to the context, if
a file outside the context is specified, like in the case above.
Can we use the absolutize() method of NetUtils therefore?
Carsten
RE: cvs commit:
cocoon-2.1/src/java/org/apache/cocoon/components/source/impl
ContextSourceFactory.java
Posted by Bruno Dumon <br...@outerthought.org>.
On Fri, 2003-11-14 at 15:11, Carsten Ziegeler wrote:
> Sylvain Wallez wrote:
> >
> > > // Remove the protocol and the first '/'
> > > - int pos = location.indexOf(":/");
> > > - String path = location.substring(pos+1);
> > > + final int pos = location.indexOf(":/");
> > > + final String path = location.substring(pos+1);
> > > +
> > > + // fix for #24093, we don't give access to files
> > outside the context:
> > > + if ( path.indexOf("../") != -1 ) {
> > > + throw new MalformedURLException("Invalid path
> > ('../' is not allowed) : " + path);
> > > + }
> > >
> > >
> >
> > Isn't this way of checking too strict? We can have perfectly valid cases
> > where one concatenates a base "context://foo/bar/" base URI with a
> > "../baz" relative path.
> >
> Hmmm, who does such nice things?
The one who does such nice things should use the method
SourceResolver.resolve(String location, String base, Map parameters)
instead of concatenating the two strings.
> Ok, but you're right - don't we have a URL mangler somewhere that does
> this for us?
The SourceResolver does all that.
--
Bruno Dumon http://outerthought.org/
Outerthought - Open Source, Java & XML Competence Support Center
bruno@outerthought.org bruno@apache.org
RE: cvs commit: cocoon-2.1/src/java/org/apache/cocoon/components/source/impl ContextSourceFactory.java
Posted by Carsten Ziegeler <cz...@s-und-n.de>.
Sylvain Wallez wrote:
>
> > // Remove the protocol and the first '/'
> > - int pos = location.indexOf(":/");
> > - String path = location.substring(pos+1);
> > + final int pos = location.indexOf(":/");
> > + final String path = location.substring(pos+1);
> > +
> > + // fix for #24093, we don't give access to files
> outside the context:
> > + if ( path.indexOf("../") != -1 ) {
> > + throw new MalformedURLException("Invalid path
> ('../' is not allowed) : " + path);
> > + }
> >
> >
>
> Isn't this way of checking too strict? We can have perfectly valid cases
> where one concatenates a base "context://foo/bar/" base URI with a
> "../baz" relative path.
>
Hmmm, who does such nice things?
Ok, but you're right - don't we have a URL mangler somewhere that does
this for us?
Carsten