Ok, just be very careful. For instance if you force a top level directory
File file = new File(TOP_LEVEL, request.getParamter("file");
A hacker can still try
http://site/read-file?file=../../../admin/passwords.xml
If I were you, I would abstract reading from / writing to files by a
Resource interface so that it could be swapped out for FTP, database, zip
file etc, etc. As a rule, I don't think that java.io.File should EVER be on
a public interface.
My 2p.
On Tuesday, 13 March 2012, Dragan Sahpaski <dragan.sahpa...@gmail.com>
wrote:
> Hey Lance,
> Thanks for taking time to look at this.
>
> The code you suggested is a servlet implementation of the javascript
editor
> component.
> We won't use this approach. The javascript component will be integrated
> with tapestry and the request/response cycles will be passing parameters
in
> urls/getting json response.
>
> The parameters will off course be validated, according to the provided
> permissions module.
>
> Eager to hear more thoughts on this.
>
> Cheers,
> Dragan Sahpaski
>
>
>
> On Tue, Mar 13, 2012 at 11:01 AM, Lance Java <lance.j...@googlemail.com
>wrote:
>
>> I'm always very wary of servlets that allow access to a filename passed
in
>> as a request parameter... you are potentially opening up complete access
to
>> your server if you are not careful. Before introducing something like
this
>> into your application you must do a security audit on it
>>
>>
>>
https://github.com/Studio-42/elfinder-servlet/blob/master/src/main/java/org/elfinder/servlets/commands/OpenCommand.java
>>
>> On Tuesday, 13 March 2012, Dragan Sahpaski <dragan.sahpa...@gmail.com>
>> wrote:
>> > Hi Ville,
>> > We decided to go with http://elfinder.org/.
>> > The discussion is on the tynamo dev list.
>> > It's BSD licensed, the code is pretty clean, it's actively developed.
and
>> > it looks pretty stable.
>> > I'll integrate it very shortly (this week) and give you a link to a
demo,
>> > or just follow the list.
>> >
>> > If it turns out ok we'll have another tynamo module.
>> >
>> > Cheers,
>> > Dragan Sahpaski
>> >
>> >
>> >
>> > On Mon, Mar 12, 2012 at 9:30 PM, Ville <ville.virta...@orientimport.fi
>> >wrote:
>> >
>> >> Hi,
>> >>
>> >> CKFinder is commercial product with no freeware licensing model afaik.
>> >> However their prices are so low that I'd be happy to pay if the
product
>> is
>> >> good. Then the ckeditor component should only provide a bridge to
their
>> >> java
>> >> implementation and let the developer using the component to provide
the
>> >> actual paid ckfinder for it.
>> >>
>> >> The upload-only approach is not an option for us, as the users really
>> need
>> >> the browsing view to the server and it's files with thumbnails.
>> >>
>> >> - Ville
>> >>
>> >>
>> >>
>> >> --
>> >> View this message in context:
>> >>
>>
>>
http://tapestry.1045711.n5.nabble.com/Simple-CMS-content-editor-component-tp5494712p5559036.html
>> >> Sent from the Tapestry - User mailing list archive at Nabble.com.
>> >>
>> >> ---------------------------------------------------------------------
>> >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
>> >> For additional commands, e-mail: users-h...@tapestry.apache.org
>> >>
>> >>
>> >
>>
>
