[
https://issues.apache.org/jira/browse/JSPWIKI-628?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Andrew Jaquith closed JSPWIKI-628.
----------------------------------
Resolution: Won't Fix
Jürgen, thanks for your comments. I understand your issue better now.
I still don't think it is wise to allow arbitrary class file downloads via a
plugin. I agree that this might be useful in your particular case. I also agree
that, in general, the class files in JSPWiki are not themselves sensitive
(there are no secrets embedded in them).
But we can't guarantee this will always be the case, and we can't guarantee
third-party JARs we bundle won't have sensitive information in them. And if
improperly programmed, it might allow access to arbitrary resources inside
WEB-INF. Nobody on the core team has enough time or resources to think of all
the ways that a plugin like this might be abused, or of all the checks and unit
tests that would need to be created to ensure its safety.
For these reasons, I don't think a general-purpose download capability for all
classes in the classpath would be a good thing -- at least not in the core
distro.
You are welcome, as always, to create your own plugin that does this.
> Load Plugin resources from classpath
> ------------------------------------
>
> Key: JSPWIKI-628
> URL: https://issues.apache.org/jira/browse/JSPWIKI-628
> Project: JSPWiki
> Issue Type: Improvement
> Affects Versions: 2.8.3
> Reporter: Jürgen Weber
>
> Some plugins require the browser to load files. E.g. the FreeMindPlugin needs
> the browser to load the applet's classes, or another plugin might need some
> flash code.
> Currently the solution is to attach these files to a page which has the sole
> purpose of having the attachment. This is kind of awkward.
> JSPWiki should have a mechanism (in JSPFilter?) which would load the file
> from the classpath. So for FreeMind the FreeMindPlugin.jar would additionally
> contain freemindbrowser.jar. The plugin would generate some markup that would
> make the Filter recognize that the parameter is to be loaded from classpath,
> e.g. <wiki:IncludeResource freemindbrowser.jar>
> I guess this could be done with a PageFilter, too, but the idea is to make
> installing plugins easier and having to add a filters.xml would be
> counterproductive, so the mechanism should go into core.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
