[cp-patches] RFC: Checking file resource validity by walking path
gbenson at redhat.com
Thu Mar 9 13:50:49 UTC 2006
Olivier Jolly wrote:
> the current implementation which retrieves a File resource allows
> to retrieve Files which are located "above" the root dir (imagine
> ClassLoader.getResource("../../../etc/passwd")) while it shouldn't
> (hence the current regression in
> gnu.testlet.java.net.URLClassLoader.getResource about '..').
Well spotted :)
> I propose to check the validity of a File resource by walking through
> all the path components and making sure that all intermediate components
> are valid (ie File.isDirectory and File.exists are true) and that we
> never try to get "out" the root directory.
What you describe is mostly implemented in File.getCanonicalPath().
A fix for your issue might be as simple as:
String base = new File(ROOT).getCanonicalPath() + File.separator;
String resource = new File(ROOT, RESOURCE).getCanonicalPath();
throw new Whatever();
where ROOT and RESOURCE are the classloader root and the resource
you're after, respectively.
> I only consider ".." as a way to escaping the root directory, it
> may be more complex than that ...
There are symbolic links to consider too. File.getCanonicalPath()
should handle them.
More information about the Classpath-patches