You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by jw...@apache.org on 2007/09/12 19:47:22 UTC
svn commit: r575024 -
/myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java
Author: jwaldman
Date: Wed Sep 12 10:47:22 2007
New Revision: 575024
URL: http://svn.apache.org/viewvc?rev=575024&view=rev
Log:
https://issues.apache.org/jira/browse/TRINIDAD-705
DirectoryResourceLoader doesn't restrict access outside the root directory like it advertises
Modified:
myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java
Modified: myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java
URL: http://svn.apache.org/viewvc/myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java?rev=575024&r1=575023&r2=575024&view=diff
==============================================================================
--- myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java (original)
+++ myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java Wed Sep 12 10:47:22 2007
@@ -23,10 +23,12 @@
import java.net.URL;
+import org.apache.myfaces.trinidad.logging.TrinidadLogger;
+
/**
* A resource loader implementation which loads resources
* from a directory. The returned resource URL will be null
- * for file resources that do not exist, or for relative paths
+ * for file resources that do not exist, or for relative paths
* that attempt to access paths outside the root directory.
*
*/
@@ -47,6 +49,15 @@
throw new IllegalArgumentException();
_directory = directory;
+
+ try
+ {
+ _directoryPath = _directory.getCanonicalPath();
+ }
+ catch (IOException ex)
+ {
+ throw new IllegalArgumentException(ex);
+ }
}
/**
@@ -68,6 +79,16 @@
throw new IllegalArgumentException();
_directory = directory;
+
+ try
+ {
+ _directoryPath = _directory.getCanonicalPath();
+ }
+ catch (IOException ex)
+ {
+ throw new IllegalArgumentException(ex);
+ }
+
}
@Override
@@ -79,10 +100,11 @@
// construct the relative file under the "root" directory
File file = new File(_directory, path).getCanonicalFile();
+
- // "root" directory path should always be less than the file path
- boolean isContained = (_directory.compareTo(file) <= 0);
-
+ // file path should contain the "root" directory path, not be outside it
+ boolean isContained = file.getCanonicalPath().startsWith(_directoryPath);
+
// return null if relative paths were used,
// or if the file does not exist,
// otherwise return an URL to the file resource
@@ -94,4 +116,7 @@
}
private final File _directory;
+ private final String _directoryPath;
+ private static final TrinidadLogger _LOG = TrinidadLogger.createTrinidadLogger(
+ DirectoryResourceLoader.class);
}