[ https://issues.apache.org/jira/browse/FOP-2912?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17040958#comment-17040958 ]
Simon Steiner edited comment on FOP-2912 at 2/20/20 1:11 PM: ------------------------------------------------------------- Should you not validate your urls before passing it into fop, i wonder if your change is safe due to data urls, maybe you can use a security manager to block access to directory or custom resource resolver was (Author: ssteiner1): Should you not validate your urls before passing it into fop, i wonder if your change is safe due to data urls > Short circuit with FileNotFoundException when a URL is empty > ------------------------------------------------------------ > > Key: FOP-2912 > URL: https://issues.apache.org/jira/browse/FOP-2912 > Project: FOP > Issue Type: Wish > Components: image/unqualified > Affects Versions: 2.4 > Reporter: CARL BUXBAUM > Priority: Major > Attachments: patch.diff > > Original Estimate: 0.5h > Remaining Estimate: 0.5h > > Hi, We use FOP to generate pdf reports through xsl-fo. Sometimes the dynamic > data from the xml results in an empty URL being passed to external-graphic > src. This makes its way through ExternalGraphic.java, and ends up in a > needless and wasteful OS call to list the directory where our images are > stored ([file://|file:///]<our_imagestore>/). Some of our customers also > have hundreds of thousands of images in that top level directory, and the OS > dir call takes an immense amount of time to return (with a > FileNotFoundException). > We are trying out this code in ExternalGraphic.java, line 80-81 (change in > blue) in the trunk: > > public void bind(PropertyList pList) throws FOPException { > super.bind(pList); > src = pList.get(PR_SRC).getString(); > //Additional processing: obtain the image's intrinsic size and baseline > information > url = URISpecification.getURL(src); > FOUserAgent userAgent = getUserAgent(); > ImageManager manager = userAgent.getImageManager(); > ImageInfo info = null; > {color:#0747a6}try {{color} > {color:#0747a6} if (url == null || url.trim().isEmpty() || > url.trim().equals("") || url.endsWith("/" ) || url.endsWith("{color} > {color:#0747a6} ")){color} > {color:#0747a6} { {color}{color:#0747a6} throw new > FileNotFoundException("URL is not complete"); > }{color} > info = manager.getImageInfo(url, userAgent.getImageSessionContext()); > ------- > It would be great if something like this could be adopted into the code so we > do not need to maintain our own version. I cannot think of a use case where > an empty URL or a URL that specifies a directory would be valid (except maybe > where a default file is served from a directory using http)? > Please let me know what you think. -- This message was sent by Atlassian Jira (v8.3.4#803005)