Sylvain Wallez wrote:IIRC NetUtils.normalize() will remove any .. from a URL. It splits on /, so it can handle a context: protocol, but how it deals with .. at the beginning of a URL I can't work out immediately. If it doesn't, it shouldn't be hard to patch it to work appropriately.
// Remove the protocol and the first '/'outside the context:
- int pos = location.indexOf(":/");
- String path = location.substring(pos+1);
+ final int pos = location.indexOf(":/");
+ final String path = location.substring(pos+1);
+ + // fix for #24093, we don't give access to files
+ if ( path.indexOf("../") != -1 ) {('../' is not allowed) : " + path);
+ throw new MalformedURLException("Invalid path
+ }Isn't this way of checking too strict? We can have perfectly valid cases where one concatenates a base "context://foo/bar/" base URI with a "../baz" relative path.
Hmmm, who does such nice things? Ok, but you're right - don't we have a URL mangler somewhere that does this for us?
Carsten
Don't know if this is relevent.
Regards, Upayavira
