Bugzilla – Full Text Bug Listing
| Summary: | FileLocator.find() can find files outside of the bundle | ||||||||
|---|---|---|---|---|---|---|---|---|---|
| Product: | [Eclipse Project] Equinox | Reporter: | Chris Goldthorpe <cgold> | ||||||
| Component: | Framework | Assignee: | Thomas Watson <tjwatson> | ||||||
| Status: | RESOLVED FIXED | QA Contact: | |||||||
| Severity: | normal | ||||||||
| Priority: | P3 | CC: | kaloyan, Mike_Wilson, pwebster, tjwatson, yxzhong | ||||||
| Version: | 3.6 | ||||||||
| Target Milestone: | 3.7 M1 | ||||||||
| Hardware: | PC | ||||||||
| OS: | Windows XP | ||||||||
| Whiteboard: | |||||||||
| Attachments: |
|
||||||||
|
Description
Chris Goldthorpe
Created attachment 174902 [details]
Test case
To reproduce:
Unzip the attachment in a temporary directory.
Create a text file file.txt in the directory which contains the bundle.
File/Import/Existing Project
Launch Eclipse
File Locate Menu/File Locate Test
A messagebox opens showing the contents of file.txt, which was located using FileLocator.find()
It turns out that Bundle.getEntry can leak out URLs that point to resources are outside of a directory bundle's top level directory. I will look at fixing this. Created attachment 175023 [details]
patch + test
There were four methods on DirBundleFile that allowed you to access or get information on files outside of the directory bundle file itself. This patch does some extra checks if folks are trying ".." paths to access bundle content from a directory bundle.
I was tempted to always fail to find resources if the path contained any ".."s since this is not supported for jar'ed bundles. But this patch is a more conservative behavior change. It only fails to find files if they end up being outside of the bundle's content.
patch released. *** Bug 418266 has been marked as a duplicate of this bug. *** |