Henri Gomez wrote: > Remy Maucherat wrote: > >> Henri Gomez wrote: >> >>>> This is likely the protection against reading anything outside the >>>> webapp root (see the "allowLinking" of FileDirContext), although I >>>> don't know how the digester will try to load the included file. >>> >>> >>> >>> >>> Digester code is derived from XmlMapper which is able to locate >>> entities in ../../../ directories. >>> >>> My concern here is : >>> >>> Specs didn't mentions restriction on use of external entities outside >>> the webapp. >>> >>> So it should be granted by default isn't it ? >>> >>> I take a look at FileDirContext but I didn't understand what >>> allowLinking is ? >> >> >> > >> >>> So my question is : bug or feature ? >> >> >> >> There's a pretty strict check on the canonical path of a resource >> which I added. >> I consider it a security feature. I think a webapp should be self >> contained, so I think it's reasonable to have the check as the default. >> >> "allowLinking" disables the check. >> >> Don't be lazy, just do a search in FileDirContext ;-) > > > I take a look at this but but digester didn't use FileDirContext so the > allowLinking didn't fit. > > The problem seems be only in Digester which fail to load > ../../../settings.xml > > What could we do ? > > PS: I tried with TC 4.1.x and all commons from CVS. > > > at > >org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) > > > at java.net.URL.openStream(URL.java:793)
Well, that's exactly the same. Where do you think that weird URL connection goes ?? (hint: to the aforementioned FileDirContext, through some classloader binding) The place where it gets rejected should be the FileDirContext.file() method, as far as I can remember. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
