http://127.0.0.1:8888/samples/view-source?filename=/WEB-INF/web.xml http://127.0.0.1:8888/samples/view-source?filename=/WEB-INF/cocoon.xconf
or even the sample from the bug description
http://127.0.0.1:8888/samples/view-source?filename=../../../boot.ini
are possible. IMO we should remove view-source.xsp completely and use the xml2html.xsl instead. And this only for selected files as it is down now when using ?cocoon-view=pretty-content. Adding a further pipeline for showing the sitemaps should be easy.
What do you think?
Joerg
[EMAIL PROTECTED] wrote:
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=23949
Security : Directory traversal in "view-source"
------- Additional Comments From [EMAIL PROTECTED] 2003-10-22 08:31 ------- No, I don't like this kind of solution, it's too restrictive. We for example search a directory tree for our intranet outside of Cocoon webapp. At home I have mounted my own sitemap, which outside of Cocoon webapp. The "real" solution is either to avoid direct request params 2 file access mappings or to remove view-source.xsp completely. We have stylesheets for the latter task.
Joerg
-- System Development VIRBUS AG Fon +49(0)341-979-7419 Fax +49(0)341-979-7409 [EMAIL PROTECTED] www.virbus.de
