Re: [xwiki-devs] [xwiki-notifications] r28861 - in platform/core/branches/xwiki-core-2.2/xwiki-core/src: main/java/com/xpn/xwiki main/java/com/xpn/xwiki/web test/java/com/xpn/xwiki/web

Author: sdumitriu Date: 2010-05-13 22:45:42 +0200 (Thu, 13 May 2010) New Revision: 28861 Modified: platform/core/branches/xwiki-core-2.2/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java platform/core/branches/xwiki-core-2.2/xwiki-core/src/main/java/com/xpn/xwiki/web/SkinAction.java platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java Log: XWIKI-2580: Improve file access sandboxing Fixed. Patch from Alex Busenius applied with minor changes. Merged from trunk@r28858

Modified: platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java =================================================================== --- platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java 2010-05-13 20:45:29 UTC (rev 28860) +++ platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java 2010-05-13 20:45:42 UTC (rev 28861) @@ -20,6 +20,8 @@ */ package com.xpn.xwiki.web; +import java.io.IOException; + import org.jmock.cglib.MockObjectTestCase; /** @@ -66,4 +68,54 @@ { assertFalse(this.action.isJavascriptMimeType(null)); } + + public void testIncorrectSkinFile() + { + try { + this.action.getSkinFilePath("../../resources/js/xwiki/xwiki.js", "colibri"); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + try { + this.action.getSkinFilePath("../../../", "colibri"); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + try { + this.action.getSkinFilePath("resources/js/xwiki/xwiki.js", ".."); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + try { + this.action.getSkinFilePath("../resources/js/xwiki/xwiki.js", "."); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + } +

+ public void testIncorrectResourceFile() + { + try { + this.action.getResourceFilePath("../../skins/js/xwiki/xwiki.js"); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + try { + this.action.getResourceFilePath("../../../"); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + try { + this.action.getResourceFilePath("../../redirect"); + assertTrue("should fail", false); + } catch (IOException e) { + // good + } + } } _______________________________________________ notifications mailing list notifications(a)xwiki.org http://lists.xwiki.org/mailman/listinfo/notifications