This is an automated email from the ASF dual-hosted git repository. rombert pushed a commit to annotated tag org.apache.sling.resourcebuilder-1.0.0 in repository https://gitbox.apache.org/repos/asf/sling-org-apache-sling-resourcebuilder.git
commit 296f03817ebeb2794a6c82cf4e9383494bbf9c9d Author: Bertrand Delacretaz <bdelacre...@apache.org> AuthorDate: Fri Dec 11 14:30:27 2015 +0000 SLING-5356 - reject .. in paths git-svn-id: https://svn.apache.org/repos/asf/sling/trunk/bundles/commons/resourcebuilder@1719430 13f79535-47bb-0310-9956-ffa450edef68 --- .../org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java | 3 +++ .../apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java | 5 +++++ 2 files changed, 8 insertions(+) diff --git a/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java b/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java index 0abd07d..6d356f1 100644 --- a/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java +++ b/src/main/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImpl.java @@ -77,6 +77,9 @@ public class ResourceBuilderImpl implements ResourceBuilder { if(relativePath.startsWith("/")) { throw new IllegalArgumentException("Path is not relative:" + relativePath); } + if(relativePath.contains("..")) { + throw new IllegalArgumentException("Path contains invalid pattern '..': " + relativePath); + } final String fullPath = currentParent.getPath() + "/" + relativePath; final String parentPath = ResourceUtil.getParent(fullPath); diff --git a/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java b/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java index b054a2e..189a3c1 100644 --- a/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java +++ b/src/test/java/org/apache/sling/resourcebuilder/impl/ResourceBuilderImplTest.java @@ -189,6 +189,11 @@ public class ResourceBuilderImplTest { getBuilder(testRootPath).resource("/absolute"); } + @Test(expected=IllegalArgumentException.class) + public void aboveParentFails() throws Exception { + getBuilder(testRootPath).resource("../foo"); + } + @Test public void simpleTree() throws Exception { getBuilder(testRootPath) -- To stop receiving notification emails like this one, please contact "commits@sling.apache.org" <commits@sling.apache.org>.