dsmiley commented on code in PR #146: URL: https://github.com/apache/solr/pull/146#discussion_r1040336243
########## solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java: ########## @@ -287,9 +287,11 @@ public Long getCurrentSchemaModificationVersion( } protected Path getConfigDir(String configName) throws IOException { - String configSetDirPath = configSetBase.toFile().getCanonicalPath() + File.separator; - String path = Paths.get(configSetBase.toString(), configName).toFile().getCanonicalPath(); - if (!path.startsWith(configSetDirPath)) { + String path = + Paths.get(configSetBase.toString(), FilenameUtils.getName(configName)) + .toFile() + .getCanonicalPath(); + if (!path.endsWith(configName)) { Review Comment: Don't we want to check that the path *startsWith* the configSetBase? I don't think we should care what it ends with. Otherwise we could read a path like "../../../somewhereElse/configName" that the caller shouldn't have access to. ########## solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java: ########## @@ -287,9 +287,11 @@ public Long getCurrentSchemaModificationVersion( } protected Path getConfigDir(String configName) throws IOException { - String configSetDirPath = configSetBase.toFile().getCanonicalPath() + File.separator; - String path = Paths.get(configSetBase.toString(), configName).toFile().getCanonicalPath(); - if (!path.startsWith(configSetDirPath)) { + String path = + Paths.get(configSetBase.toString(), FilenameUtils.getName(configName)) + .toFile() + .getCanonicalPath(); Review Comment: Why getCanonicalPath? ########## solr/core/src/java/org/apache/solr/core/FileSystemConfigSetService.java: ########## @@ -287,9 +287,11 @@ public Long getCurrentSchemaModificationVersion( } protected Path getConfigDir(String configName) throws IOException { - String configSetDirPath = configSetBase.toFile().getCanonicalPath() + File.separator; - String path = Paths.get(configSetBase.toString(), configName).toFile().getCanonicalPath(); - if (!path.startsWith(configSetDirPath)) { + String path = + Paths.get(configSetBase.toString(), FilenameUtils.getName(configName)) Review Comment: If configName were "foo/bar", there shouldn't be anything fundamentally wrong with that. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For queries about this service, please contact Infrastructure at: us...@infra.apache.org --------------------------------------------------------------------- To unsubscribe, e-mail: issues-unsubscr...@solr.apache.org For additional commands, e-mail: issues-h...@solr.apache.org