Open GoogleCodeExporter opened 9 years ago
Similair kind of issue for
ro.isdc.wro.model.resource.locator.support.DispatcherStreamLocator.locateExterna
l(HttpServletRequest, String) location argument.
Original comment by dkwak...@gmail.com
on 21 Jan 2015 at 12:29
I really appreciate that you look into this kind of details. If you have any
patches available, please share them via pull requests on the github project
page:
https://github.com/alexo/wro4j
Original comment by alex.obj...@gmail.com
on 21 Jan 2015 at 12:31
One note regarding path manipulation:
since the path are provided by the model (which is in control of the
application developer), there is no way it could be injected externally by a
hacker.... or am I missing something?
Original comment by alex.obj...@gmail.com
on 21 Jan 2015 at 12:32
Yes, if you are sure they come from the model then it is safe. I tried to
follow the injection paths, but this takes a lot of time. From security point
of view I would prefer to add a check here (if there is a way to inject at
least you are safe).
How to implement this check can be found here:
https://www.securecoding.cert.org/confluence/display/java/FIO16-J.+Canonicalize+
path+names+before+validating+them
Original comment by dkwak...@gmail.com
on 21 Jan 2015 at 1:35
Original issue reported on code.google.com by
dkwak...@gmail.com
on 21 Jan 2015 at 12:24