Do such URLs in skins actually result in incoming URLs containing "..", or does it get resolved out when we generate the .css?
-- Adam On 9/12/07, Jeanne Waldman <[EMAIL PROTECTED]> wrote: > > Hi Simon, > > Very good point. I have seen skin's have ".." in the background-image path. > I forgot about that. > > The reason for fixing this issue is that we feel it is a security issue if > the use of the ".." in the path is such that the path goes outside of the > 'root'. > > If I switch to the old code path and log a warning about the deprecated URL > usage, then the security issue will still exist. > It sounds like to fix the issue correctly, I'll have to make sure if the > path contains ".." that the path doesn't take us outside the root. e.g., > foo/bar/../../zoo/../.. -> takes you outside root. > > A side note -- I found a bug in the DirectoryResourceLoader where it was > allowing paths outside the root directory, even though the comment > said that it wasn't. I can fix that easily, and I will log a separate issue > and fix that since it isn't controversial. > > Thanks again for your comments, > - Jeanne > > > Simon Lessard wrote: > Hello Jeanne, > > Personally you won't break anything with my projects, but it's only because > I fully converted the skin to use the new Trinidad URL system (well it's > more Trinidad URL system than new actually). However, preventing the '..' > will most likely make the passage between ADF Faces and Trinidad more > difficult as '..' was often needed with ADF Faces and background-image > within skins. Would it be possible to do your change but if you detect '..', > switch to the old code path and log a warning about a deprecated URL usage > within the skin? We could offer a grace period until one month or so after > JDeveloper 11g get in production maybe? I would use that date because the > amount of Trinidad user will most likely get a big boost from old ADF Faces > users when JDev 11 is officially released. Also, those new users will most > likely have to do the aforementioned conversion. > > > Regards, > > ~ Simon > > > On 9/11/07, Jeanne Waldman <[EMAIL PROTECTED]> wrote: > > My main concern is > > a. should I simply reject any path with ".." in it as dangerous -or- > > > > b if the path contains ".." should figure out if it resolves to a path > > outside the root and only reject it in that case. > > > > b is safer, but requires more processing. > > > > Thanks, > > > > - Jeanne > > > > > > Jeanne Waldman wrote: > > > Hi there, > > > I'm about to fix issue: > > > https://issues.apache.org/jira/browse/TRINIDAD-703 > > > > > > snippet from issue: > > > > > > We register our image resource loader with a fairly loose pattern: > > > register("(/.*\\.(css|jpg|gif|png|jpeg|svg|js))", > > > new CoreClassLoaderResourceLoader(parent)); > > > > > > In theory could someone get at an image on the class path outside of > > > our own > > > images by crafting a funky URL along the lines of > > > "../../../../oracle/someotherpackage/foo.gif"? Yes. > > > ClassLoaderResourceLoader should prevent access outside of the > > > "rootPackage". > > > > > > > > > I mention how I am fixing it (disallowing ".." in the path), so please > > > comment if you'd like. > > > > > > Thanks, > > > Jeanne > > > > > > > > > >
