This Bugzilla instance is a read-only archive of historic NetBeans bug reports. To report a bug in NetBeans please follow the project's instructions for reporting issues.

Bug 46459

Summary: Request FileUtil.preventFileChooserSymlinkTraversal
Product: platform Reporter: Jesse Glick <jglick>
Component: FilesystemsAssignee: Jesse Glick <jglick>
Status: RESOLVED FIXED    
Severity: blocker CC: phrebejk, rmatous
Priority: P2 Keywords: API, API_REVIEW_FAST
Version: 4.x   
Hardware: All   
OS: All   
Issue Type: ENHANCEMENT Exception Reporter:
Bug Depends on:    
Bug Blocks: 46014    
Attachments: Proposed addition to FileUtil, plus example of its application to the Open Project dialog (tested and functional in contrast to the unpatched Add Favorites dialog, tried on Linux under 1.4.2_04 Metal, 1.5.0 b58 Ocean, 1.5.0 b58 GTK)

Description Jesse Glick 2004-07-22 19:37:19 UTC 
It seems we need an API method to work around a
severe Swing bug in a common way. See issue #46014
for details.
Comment 1 Jesse Glick 2004-07-22 19:44:11 UTC 
Created attachment 16397 [details]
Proposed addition to FileUtil, plus example of its application to the Open Project dialog (tested and functional in contrast to the unpatched Add Favorites dialog, tried on Linux under 1.4.2_04 Metal, 1.5.0 b58 Ocean, 1.5.0 b58 GTK)
Comment 2 Jesse Glick 2004-07-22 19:48:10 UTC 
Note #1: might be necessary to have the method actually take a File
currentDirectory (optional, may be null), and if non-null wrap it
before setting it. Otherwise it seems that while you can select a
noncanonicalized symlink dir to open a project from, the persisted
default directory for the dialog gets set as a plain java.io.File on
the file chooser, causing the path to get "polluted" with an unwrapped
File temporarily, so that the dialog opens with the canonicalized
path. You can browse to the uncanonicalized path, so this is only a
minor annoyance.

Note #2: of course if and when the Swing bug is fixed, we can patch
the method to do nothing for fixed JREs; and when we take as a minimum
a JRE which already has the fix, we can just make the method do
nothing and deprecate it.

Note #3: I put the method into FileUtil rather than Utilities since it
does depend on the normalizeFile method and separation of openide
dictates that Utilities should not depend on FileUtil.
Comment 3 Jesse Glick 2004-07-30 22:20:22 UTC 
No objections; I will commit it.
Comment 4 Jesse Glick 2004-07-30 23:32:56 UTC 
committed   * Up-To-Date  1.152       openide/openide-spec-vers.properties
committed   * Up-To-Date  1.212      
openide/api/doc/changes/apichanges.xml
committed   * Up-To-Date  1.106      
openide/src/org/openide/filesystems/FileUtil.java