This issue has been created
There are 5 updates.
 
 
XWiki Commons / cid:jira-generated-image-avatar-ea4c2cf4-216a-4fa1-a0af-1251d28dd0a2 XCOMMONS-3327 In Progress

Provide an internal helper to safely access ClassLoader resources
 
View issue   ยท   Add comment
 

Issue created

 
cid:jira-generated-image-avatar-2a09b48c-d71a-4d7e-8818-5dac8d1c80f5 Thomas Mortagne created this issue on 30/Apr/25 12:05
 
Summary: Provide an internal helper to safely access ClassLoader resources
Issue Type: cid:jira-generated-image-avatar-ea4c2cf4-216a-4fa1-a0af-1251d28dd0a2 Task
Affects Versions: 16.10.6
Assignee: Unassigned
Components: Classloader
Created: 30/Apr/25 12:05
Priority: cid:jira-generated-image-static-major-cbebfb90-25bf-4dfe-b5c4-77f7141a0335 Major
Reporter: Thomas Mortagne
Description:

In an application server, ClassLoader#getResource and ClassLoader#getResourceAsStream can be fooled by path traversal syntaxes (../) to go read files which are not really support to be part of the classloader.

To make it easier to avoid this problem, it would be nice to produce a tool with a protection against that.
 
 

5 updates

 
cid:jira-generated-image-avatar-2a09b48c-d71a-4d7e-8818-5dac8d1c80f5 Changes by Thomas Mortagne on 30/Apr/25 12:06
 
Fix Version: 16.10.7
Fix Version: 17.4.0-rc-1
Fix Version: 16.4.8
Assignee: Thomas Mortagne
Status: Open In Progress
 
 
This message was sent by Atlassian Jira (v9.3.0#930000-sha1:287aeb6) Atlassian logo
If image attachments aren't displayed, see this article.