New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
controllers.AssetsBuilder.resourceNameAt incorrectly looks at local file system #2337
Comments
We should probably remove the |
That seems like a good idea, but unfortunately still isn't quite right because getCanonicalPath attempts to resolve symlinks. It also seems like it would still let you read files under "public2". Would it be safer just to refuse any path containing "/../"? |
The difficulty is that if you start targeting specific cases, then all sorts of edge cases start to slip through, like using Windows file separators, or combinations of UNIX and windows file separators, or URL encoding things to hide the separators, malformed paths, etc etc. I think it would be safer for us to prefix the whole thing with a path we know doesn't exist, and keep the current logic. |
Just a random suggestion, but the path itself is passed through the resource loader immediately after this check. In the case of jar resources this isn't a problem, and URLs are supposed to be canonical anyway. Perhaps these checks should be done in the resource loader, where it actually knows about the underlying file system, or on the resulting file: URLs? |
The difficulty is finding the methods that will do this. URLs are supposed to be canonical, but they aren't in practice, you can put a dot dot in a URL and many things that read it will accept it with no problems. What I'd like to try and avoid is put this logic into Play, I'd rather reuse existing functionality that we know works. |
I would say this is fixed in 2.6.latest and 2.7. as well. So closing. |
We ran into a strange situation where controllers.Assets was working on some systems and not others. This is because one function is treating the paths as local filesystem paths rather than resource paths:
Elsewhere in Assets, path is correctly treated as a resource path, but here it actually constructs Files out of the raw path (e.g., "/public/foo"). If "/public/foo" happens to exist on the local machine and be a directory, Assets returns 404, even though there is a perfectly good resource called "/public/foo".
The text was updated successfully, but these errors were encountered: