> Wow! Great comment. I changed the URI to: > > <cocoon base URI>/download?file=../../../conf/web.xml > > and actually accessed the file. Is this a concern to anyone else? > > Thanks Per.
Sure. It might be a concern to others, but doing it in the resolver would probably break just about everything in C2: the resolver is used by the sitemap to get relative URLs for every pipeline, matcher etc. And viewing the source using the samples might use relative paths. I suggest that you subclass the default reader (which is what you're using I believe) and remove all string occurrences of '../' or '/..' or somesuch before resolving. Then let the rest of the reader's code execute, thereby returning 'invalid resource' errors when appropriate. Note: You might want to remove the 'download' prefix on the <map:read> in your sitemap and see if all of a sudden absolute URLs work too. Ouch if they do. Per --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>
