Bertrand Delacretaz wrote > I had another look and the functionality that SLING-2512 disables > could in certain cases allow arbitrary files to be imported in the > repository, which we don't want of course.
Actually this isn't a correct assessment from my analysis so far. the implementation of SLING-2512 doesn't prevent the inclusion of the arbitrary files, it simply prevents the inclusion of any and all files when importing the xmlLocation is unknown, which is when it is imported via an InputStream, such as through the SlingPostServlet. If you were to import the supplied XML through the other import mechanism (through the URL parameter), those files would attempt to imported as they are. That is, there is nothing actually preventing the use of absolute URLs in the XML format, since the only thing done in creation of the URL to import is the small code snippet of /new URL(baseLocation, value)/ (from /org.apache.sling.jcr.contentloader.internal.readers.XmlReader.java:564/). This native Java functionality is designed to where information is utilized from the /baseLocation/ if that information is missing from the /value/. that is, when constructing a new URL in this fashion with /baseLocation/ being "file:/C:/test/sling/sling-import.xml" and the /value/ being "file:/D:/some/other/seemingly/unrelated/content/video1.mp4" all information from /baseLocation/ is ignored, because /value/ is a complete URL already. If the intent was to not allow absolute URLs in the XML format to exclude the possibility of "arbitrary content", then that should've been the approach taken instead of the current approach of simply not importing if the would-be URL spec (/baseLocation/ here) is null. Regardless, this functionality is basically nonutilizable for some intentions I was thinking of it, forcing my hand into a customization, which is not currently desirable - the intent here was to stay OOTB, so this would likely end up doing file uploads individually through the SlingPostServlet instead. -- View this message in context: http://apache-sling.73963.n3.nabble.com/Further-clarification-of-SLING-2512-tp4053816p4053852.html Sent from the Sling - Users mailing list archive at Nabble.com.
