Re: [xwiki-devs] [xwiki-notifications] r28861 - in platform/core/branches/xwiki-core-2.2/xwiki-core/src: main/java/com/xpn/xwiki main/java/com/xpn/xwiki/web test/java/com/xpn/xwiki/web - xwiki-devs@xwiki.org

14 May 2010

On May 13, 2010, at 10:45 PM, sdumitriu (SVN) wrote:

...
  Author: sdumitriu
 Date: 2010-05-13 22:45:42 +0200 (Thu, 13 May 2010)
 New Revision: 28861

 Modified:

platform/core/branches/xwiki-core-2.2/xwiki-core/src/main/java/com/xpn/xwiki/XWiki.java

platform/core/branches/xwiki-core-2.2/xwiki-core/src/main/java/com/xpn/xwiki/web/SkinAction.java

platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java
 Log:
 XWIKI-2580: Improve file access sandboxing
 Fixed.
 Patch from Alex Busenius applied with minor changes.
 Merged from trunk@r28858 
[snip]
...

 Modified:
platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java
 ===================================================================
 ---
platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java	2010-05-13
20:45:29 UTC (rev 28860)
 +++
platform/core/branches/xwiki-core-2.2/xwiki-core/src/test/java/com/xpn/xwiki/web/SkinActionTest.java	2010-05-13
20:45:42 UTC (rev 28861)
 @@ -20,6 +20,8 @@
  */
 package com.xpn.xwiki.web;

 +import java.io.IOException;
 +
 import org.jmock.cglib.MockObjectTestCase;

 /**
 @@ -66,4 +68,54 @@
     {
         assertFalse(this.action.isJavascriptMimeType(null));
     }
 +
 +    public void testIncorrectSkinFile()
 +    {
 +        try {
 +            this.action.getSkinFilePath("../../resources/js/xwiki/xwiki.js",
"colibri");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +        try {
 +            this.action.getSkinFilePath("../../../", "colibri");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +        try {
 +            this.action.getSkinFilePath("resources/js/xwiki/xwiki.js",
"..");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +        try {
 +            this.action.getSkinFilePath("../resources/js/xwiki/xwiki.js",
".");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +    }
 + 
This should be 4 separate tests.

-Vincent

...
  +    public void testIncorrectResourceFile()
 +    {
 +        try {
 +            this.action.getResourceFilePath("../../skins/js/xwiki/xwiki.js");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +        try {
 +            this.action.getResourceFilePath("../../../");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +        try {
 +            this.action.getResourceFilePath("../../redirect");
 +            assertTrue("should fail", false);
 +        } catch (IOException e) {
 +            // good
 +        }
 +    }
 }

 _______________________________________________
 notifications mailing list
 notifications(a)xwiki.org
 http://lists.xwiki.org/mailman/listinfo/notifications 