> It seems that absolute URLs are not a problem. The following examples > give > me an error page: > > URI: > > <cocoon base URI>/../filename.jpg > <cocoon base URI>/download/../../filename.jpg > <cocoon base URI>/images/../../filename.jpg > > error page: > > HTTP Status 404 - /filename.jpg > > ------------------------------------------------------------------------ > -------- > > type Status report > > message /filename.jpg > > description The requested resource (/filename.jpg) is not available. > > > ------------------------------------------------------------------------ > -------- > > Apache Tomcat/4.1.3 > > > Working URI: > > <cocoon base URI>/download/../filename.jpg
Doesn't that simply mean that /filename.jpg isn't there? What if it was in your root directory, outside of your webapp's space? Would it return? What if you try /etc/passwd? Or on Windows NT/2000, something in /winnt? Per --------------------------------------------------------------------- Please check that your question has not already been answered in the FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html> To unsubscribe, e-mail: <[EMAIL PROTECTED]> For additional commands, e-mail: <[EMAIL PROTECTED]>