Community
Participate
Working Groups
This was discovered while investigating Bug 223539. If a bundle is not jarred the line below URL url = FileLocator.find(bundle, new Path("../file.txt"), null); can be used to access a file outside of the bundle, and any file on the system could potentially be accessed this way. There does not seem to be any reason to allow this as only bad things can happen if the FileLocator is used to read files outside the bundle.
Created attachment 174902 [details] Test case To reproduce: Unzip the attachment in a temporary directory. Create a text file file.txt in the directory which contains the bundle. File/Import/Existing Project Launch Eclipse File Locate Menu/File Locate Test A messagebox opens showing the contents of file.txt, which was located using FileLocator.find()
It turns out that Bundle.getEntry can leak out URLs that point to resources are outside of a directory bundle's top level directory. I will look at fixing this.
Created attachment 175023 [details] patch + test There were four methods on DirBundleFile that allowed you to access or get information on files outside of the directory bundle file itself. This patch does some extra checks if folks are trying ".." paths to access bundle content from a directory bundle. I was tempted to always fail to find resources if the path contained any ".."s since this is not supported for jar'ed bundles. But this patch is a more conservative behavior change. It only fails to find files if they end up being outside of the bundle's content.
patch released.
*** Bug 418266 has been marked as a duplicate of this bug. ***