You are viewing a plain text version of this content. The canonical link for it is here.

Posted to scm@geronimo.apache.org by ga...@apache.org on 2009/03/23 03:30:59 UTC

svn commit: r757301 - in /geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src: main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java

Author: gawor
Date: Mon Mar 23 02:30:59 2009
New Revision: 757301

URL: http://svn.apache.org/viewvc?rev=757301&view=rev
Log:
ensure resources can only be loaded from within the directory specified (GERONIMO-4600)

Modified:
    geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
    geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java

Modified: geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java?rev=757301&r1=757300&r2=757301&view=diff
==============================================================================
--- geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java (original)
+++ geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/main/java/org/apache/geronimo/kernel/classloader/DirectoryResourceLocation.java Mon Mar 23 02:30:59 2009
@@ -37,7 +37,7 @@
 
     public ResourceHandle getResourceHandle(String resourceName) {
         File file = new File(baseDir, resourceName);
-        if (!file.exists()) {
+        if (!file.exists() || !isLocal(file)) {
             return null;
         }
 
@@ -49,6 +49,16 @@
         }
     }
 
+    private boolean isLocal(File file) {
+        try {
+            String base = baseDir.getCanonicalPath();
+            String relative = file.getCanonicalPath();
+            return (relative.startsWith(base));
+        } catch (IOException e) {
+            return false;
+        }
+    }
+
     public Manifest getManifest() throws IOException {
         if (!manifestLoaded) {
             File manifestFile = new File(baseDir, "META-INF/MANIFEST.MF");

Modified: geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java
URL: http://svn.apache.org/viewvc/geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java?rev=757301&r1=757300&r2=757301&view=diff
==============================================================================
--- geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java (original)
+++ geronimo/server/branches/2.1/framework/modules/geronimo-kernel/src/test/java/org/apache/geronimo/kernel/classloader/UrlResourceFinderTest.java Mon Mar 23 02:30:59 2009
@@ -110,6 +110,14 @@
         assertNull(resource.getManifest());
     }
 
+    public void testDirectoryResourceScope() throws Exception {
+        URL jar = new File(BASEDIR, "src/test/data/resourceFinderTest/jar1/").toURL();
+        UrlResourceFinder resourceFinder = new UrlResourceFinder(new URL[]{jar});
+
+        ResourceHandle resource = resourceFinder.getResource("../jar2/resource");
+        assertNull(resource);
+    }
+    
     public void testJarResource() throws Exception {
         URL jar = jarFile.toURL();
         UrlResourceFinder resourceFinder = new UrlResourceFinder(new URL[]{jar});