On Tue, Mar 13, 2012 at 11:24 AM, Lance Java <lance.j...@googlemail.com>wrote:
> Ok, just be very careful. For instance if you force a top level directory
>
> File file = new File(TOP_LEVEL, request.getParamter("file");
>
> A hacker can still try
> http://site/read-file?file=../../../admin/passwords.xml
Yes nice example. I have that in mind and the tests should include
scenarios like this one.
>
>
> If I were you, I would abstract reading from / writing to files by a
> Resource interface so that it could be swapped out for FTP, database, zip
> file etc, etc. As a rule, I don't think that java.io.File should EVER be on
> a public interface.
>
Exactly my intention. The "file system" will be implemented as an IOC
service implementation. So this eventually could be a database etc.
>
> My 2p.
>
Thanks,
You should prob also follow tynamo dev and users lists for further
discussions on this module.
Cheers,
Dragan Sahpaski
>
> On Tuesday, 13 March 2012, Dragan Sahpaski <dragan.sahpa...@gmail.com>
> wrote:
> > Hey Lance,
> > Thanks for taking time to look at this.
> >
> > The code you suggested is a servlet implementation of the javascript
> editor
> > component.
> > We won't use this approach. The javascript component will be integrated
> > with tapestry and the request/response cycles will be passing parameters
> in
> > urls/getting json response.
> >
> > The parameters will off course be validated, according to the provided
> > permissions module.
> >
> > Eager to hear more thoughts on this.
> >
> > Cheers,
> > Dragan Sahpaski
> >
> >
> >
> > On Tue, Mar 13, 2012 at 11:01 AM, Lance Java <lance.j...@googlemail.com
> >wrote:
> >
> >> I'm always very wary of servlets that allow access to a filename passed
> in
> >> as a request parameter... you are potentially opening up complete access
> to
> >> your server if you are not careful. Before introducing something like
> this
> >> into your application you must do a security audit on it
> >>
> >>
> >>
>
> https://github.com/Studio-42/elfinder-servlet/blob/master/src/main/java/org/elfinder/servlets/commands/OpenCommand.java
> >>
> >> On Tuesday, 13 March 2012, Dragan Sahpaski <dragan.sahpa...@gmail.com>
> >> wrote:
> >> > Hi Ville,
> >> > We decided to go with http://elfinder.org/.
> >> > The discussion is on the tynamo dev list.
> >> > It's BSD licensed, the code is pretty clean, it's actively developed.
> and
> >> > it looks pretty stable.
> >> > I'll integrate it very shortly (this week) and give you a link to a
> demo,
> >> > or just follow the list.
> >> >
> >> > If it turns out ok we'll have another tynamo module.
> >> >
> >> > Cheers,
> >> > Dragan Sahpaski
> >> >
> >> >
> >> >
> >> > On Mon, Mar 12, 2012 at 9:30 PM, Ville <
> ville.virta...@orientimport.fi
> >> >wrote:
> >> >
> >> >> Hi,
> >> >>
> >> >> CKFinder is commercial product with no freeware licensing model
> afaik.
> >> >> However their prices are so low that I'd be happy to pay if the
> product
> >> is
> >> >> good. Then the ckeditor component should only provide a bridge to
> their
> >> >> java
> >> >> implementation and let the developer using the component to provide
> the
> >> >> actual paid ckfinder for it.
> >> >>
> >> >> The upload-only approach is not an option for us, as the users really
> >> need
> >> >> the browsing view to the server and it's files with thumbnails.
> >> >>
> >> >> - Ville
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> View this message in context:
> >> >>
> >>
> >>
>
> http://tapestry.1045711.n5.nabble.com/Simple-CMS-content-editor-component-tp5494712p5559036.html
> >> >> Sent from the Tapestry - User mailing list archive at Nabble.com.
> >> >>
> >> >> ---------------------------------------------------------------------
> >> >> To unsubscribe, e-mail: users-unsubscr...@tapestry.apache.org
> >> >> For additional commands, e-mail: users-h...@tapestry.apache.org
> >> >>
> >> >>
> >> >
> >>
> >
>
