Jsp File Browser

Task list for Project:

Please ensure that your browser has cookies enabled if you want this software to work properly...

Register as a new user

Task #27 — Doc: RESTRICT_PATH must be canonicalPath

Attached to Project — Jsp File Browser

Opened by Margaret Leber (MaggieL) - 18 Sep 2006

Task Type Feature Request Severity Medium
Category Access restriction Reported Version 1.2
Status Unconfirmed Due in Version Undecided
Assigned To No-one Percent Complete 0% complete
Operating System Linux
Details I set
private static final boolean RESTRICT_BROWSING = true;
private static final boolean RESTRICT_WHITELIST = true;
private static final String RESTRICT_PATH = "/work";

and get

You are not allowed to access /work

I looked at isAllowed()...using getCanonicalPath() there could be a problem in situations where you don't want to expose the full pathname to a directory for security reasons and/or have symlinks in a UNIX filesystem.

It happens that in my case /work is a symlink to a place 'way deeper in the filesystem, and of course that's what getCanonicalPath() returns. If I use that full pathname in RESTRICT_PATH everything works fine.

This might be worth a mention in the README if using getPath() rather than getCanonicalPath() is a problem...which on very brief reflection I can see how it might be.



Comments (0) | Attachments (0) | Related Tasks (0/0) | Notifications (1)