Gary Benson a écrit : >Olivier Jolly wrote: > > >>I propose to check the validity of a File resource by walking through >>all the path components and making sure that all intermediate components >>are valid (ie File.isDirectory and File.exists are true) and that we >>never try to get "out" the root directory. >> >> > >What you describe is mostly implemented in File.getCanonicalPath(). >A fix for your issue might be as simple as: > > String base = new File(ROOT).getCanonicalPath() + File.separator; > String resource = new File(ROOT, RESOURCE).getCanonicalPath(); > if (!resource.startsWith(base)) > throw new Whatever(); > >where ROOT and RESOURCE are the classloader root and the resource >you're after, respectively. > > yeah, great idea as it is a JDK1.1 adding and that URLCLassLoader was present in 1.0, I didn't look at it, but it seems that's ok to target 1.1 so I will rewrite the patch using this thank you
> > > >>I only consider ".." as a way to escaping the root directory, it >>may be more complex than that ... >> >> > >There are symbolic links to consider too. File.getCanonicalPath() >should handle them. > > > Right, I was merely only following directories and avoiding links >Cheers, > > Thanks again >Gary > > Olivier
