Grant Murphy has posted comments on this change.
Change subject: core: Add BLOB servlet
......................................................................
Patch Set 3: (2 inline comments)
Can you please clarify the points that I've raised here?
....................................................
File
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/blob/BlobRegistry.java
Line 52: BlobServer server = serverReference.get();
I'm not sure but I don't think this is the correct usage of an AtomicReference.
Usually atomic operations are compareAndSet type operations where a value is
updated. (Say a shared counter). The way this has currently been implemented I
don't think it would be thread safe.
....................................................
File
backend/manager/modules/utils/src/main/java/org/ovirt/engine/core/utils/blob/BlobServlet.java
Line 102: public URL registerBlob (File blob) {
Based on the implementation of this file, BlobRegistry and the ServletUtils
send file method I don't see anywhere where the file path has been sanitized to
prevent things like directory traversal. I assume this is because the file path
is coming from a trusted source?
--
To view, visit http://gerrit.ovirt.org/6484
To unsubscribe, visit http://gerrit.ovirt.org/settings
Gerrit-MessageType: comment
Gerrit-Change-Id: I4726aa4084ebb8f93caf0616aceab10957c16b90
Gerrit-PatchSet: 3
Gerrit-Project: ovirt-engine
Gerrit-Branch: master
Gerrit-Owner: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Doron Fediuck <[email protected]>
Gerrit-Reviewer: Grant Murphy <[email protected]>
Gerrit-Reviewer: Juan Hernandez <[email protected]>
Gerrit-Reviewer: Yair Zaslavsky <[email protected]>
_______________________________________________
Engine-patches mailing list
[email protected]
http://lists.ovirt.org/mailman/listinfo/engine-patches
