You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@myfaces.apache.org by jw...@apache.org on 2007/09/12 19:47:22 UTC

svn commit: r575024 - /myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java

Author: jwaldman
Date: Wed Sep 12 10:47:22 2007
New Revision: 575024

URL: http://svn.apache.org/viewvc?rev=575024&view=rev
Log:
https://issues.apache.org/jira/browse/TRINIDAD-705
 DirectoryResourceLoader doesn't restrict access outside the root directory like it advertises

Modified:
    myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java

Modified: myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java
URL: http://svn.apache.org/viewvc/myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java?rev=575024&r1=575023&r2=575024&view=diff
==============================================================================
--- myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java (original)
+++ myfaces/trinidad/trunk/trinidad/trinidad-api/src/main/java/org/apache/myfaces/trinidad/resource/DirectoryResourceLoader.java Wed Sep 12 10:47:22 2007
@@ -23,10 +23,12 @@
 
 import java.net.URL;
 
+import org.apache.myfaces.trinidad.logging.TrinidadLogger;
+
 /**
  * A resource loader implementation which loads resources
  * from a directory.  The returned resource URL will be null
- * for file resources that do not exist, or for relative paths 
+ * for file resources that do not exist, or for relative paths
  * that attempt to access paths outside the root directory.
  *
  */
@@ -47,6 +49,15 @@
       throw new IllegalArgumentException();
 
     _directory = directory;
+    
+    try
+    {
+      _directoryPath = _directory.getCanonicalPath();
+    }
+    catch (IOException ex)
+    {
+      throw new IllegalArgumentException(ex);
+    }    
   }
 
   /**
@@ -68,6 +79,16 @@
       throw new IllegalArgumentException();
 
     _directory = directory;
+    
+    try
+    {
+      _directoryPath = _directory.getCanonicalPath();
+    }
+    catch (IOException ex)
+    {
+      throw new IllegalArgumentException(ex);
+    }
+
   }
 
   @Override
@@ -79,10 +100,11 @@
 
     // construct the relative file under the "root" directory
     File file = new File(_directory, path).getCanonicalFile();
+    
 
-    // "root" directory path should always be less than the file path
-    boolean isContained = (_directory.compareTo(file) <= 0);
-
+    // file path should contain the "root" directory path, not be outside it
+    boolean isContained = file.getCanonicalPath().startsWith(_directoryPath);
+    
     // return null if relative paths were used, 
     // or if the file does not exist,
     // otherwise return an URL to the file resource
@@ -94,4 +116,7 @@
   }
 
   private final File _directory;
+  private final String _directoryPath;
+  private static final TrinidadLogger _LOG = TrinidadLogger.createTrinidadLogger(
+    DirectoryResourceLoader.class);
 }