Remy Maucherat wrote: > Henri Gomez wrote: > >>> This is likely the protection against reading anything outside the >>> webapp root (see the "allowLinking" of FileDirContext), although I >>> don't know how the digester will try to load the included file. >> >> >> >> Digester code is derived from XmlMapper which is able to locate >> entities in ../../../ directories. >> >> My concern here is : >> >> Specs didn't mentions restriction on use of external entities outside >> the webapp. >> >> So it should be granted by default isn't it ? >> >> I take a look at FileDirContext but I didn't understand what >> allowLinking is ? > > > > >> So my question is : bug or feature ? > > > There's a pretty strict check on the canonical path of a resource which > I added. > I consider it a security feature. I think a webapp should be self > contained, so I think it's reasonable to have the check as the default. > > "allowLinking" disables the check. > > Don't be lazy, just do a search in FileDirContext ;-)
I take a look at this but but digester didn't use FileDirContext so the allowLinking didn't fit. The problem seems be only in Digester which fail to load ../../../settings.xml What could we do ? PS: I tried with TC 4.1.x and all commons from CVS. at org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344) at java.net.URL.openStream(URL.java:793) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807) at org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738) at org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609) at org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889) at org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359) at org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808) at org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525) at org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581) at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152) at org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175) at org.apache.commons.digester.Digester.parse(Digester.java:1542) at org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282) at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639) at org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166) at org.apache.catalina.core.StandardContext.start(StandardContext.java:3567) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardHost.start(StandardHost.java:738) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347) at org.apache.catalina.core.StandardService.start(StandardService.java:497) -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>