Hmmm... That's a good point. How about leaving the pertinent servlet declarations commented out in the web.xml files? That ought to mitigate the problem, yet make distributing a "dev-only" binary a simple affair...
On Wed, Dec 10, 2008 at 10:29 PM, Nick Lothian <[EMAIL PROTECTED]>wrote: > If people leave this in on a production system (which they will do), and > deploy behind a reverse proxy then in some circumstances (depending on your > servlet engine & config) ALL request may appear to come from 127.0.0.1. > (See, for eg: > http://grokbase.com/thread/m/2006/07/17/patch-to-override-request-getremoteaddr-if-behind-a-reverse-proxy/xaqnRqmBVpzX-i2E8I1LGljLwzA#xaqnRqmBVpzX-i2E8I1LGljLwzA > ) > > That could be kind bad (especially since there is no checking of the path > for directory traversal etc). > > Nick > > -----Original Message----- > From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] > Sent: Thursday, 11 December 2008 9:35 AM > To: [email protected] > Subject: Adding local file rendering support to Sample Container > > Reviewers: shindig-dev, > > Description: > This patch enables Shindig's Sample Container to render files local to > the developer's machine. > > This is facilitated by adding a Servlet that serves these files (only to > localhost requests). > > The Sample Container UI has been changed to support this feature > (including allowing one to pick a file from the local filesystem via a > file input control) > > Please review this at http://codereview.appspot.com/10269 > > Affected files: > > > java/gadgets/src/main/java/org/apache/shindig/gadgets/servlet/localfile/LocalFileServlet.java > java/server/src/main/webapp/WEB-INF/web.full.xml > java/server/src/main/webapp/WEB-INF/web.gadgets.xml > java/server/src/main/webapp/WEB-INF/web.xml > javascript/samplecontainer/samplecontainer.html > javascript/samplecontainer/samplecontainer.js > > > > IMPORTANT: This e-mail, including any attachments, may contain private or > confidential information. If you think you may not be the intended > recipient, or if you have received this e-mail in error, please contact the > sender immediately and delete all copies of this e-mail. If you are not the > intended recipient, you must not reproduce any part of this e-mail or > disclose its contents to any other party. This email represents the views of > the individual sender, which do not necessarily reflect those of > Education.au except where the sender expressly states otherwise. It is your > responsibility to scan this email and any files transmitted with it for > viruses or any other defects. education.au limited will not be liable for > any loss, damage or consequence caused directly or indirectly by this email. >
