Bug 46459 - Request FileUtil.preventFileChooserSymlinkTraversal
Request FileUtil.preventFileChooserSymlinkTraversal
Status: RESOLVED FIXED
Product: platform
Classification: Unclassified
Component: Filesystems
4.x
All All
: P2 (vote)
: 4.x
Assigned To: Jesse Glick
issues@platform
: API, API_REVIEW_FAST
Depends on:
Blocks: 46014
  Show dependency treegraph
 
Reported: 2004-07-22 19:37 UTC by Jesse Glick
Modified: 2008-12-22 17:53 UTC (History)
2 users (show)

See Also:
Issue Type: ENHANCEMENT
:


Attachments
Proposed addition to FileUtil, plus example of its application to the Open Project dialog (tested and functional in contrast to the unpatched Add Favorites dialog, tried on Linux under 1.4.2_04 Metal, 1.5.0 b58 Ocean, 1.5.0 b58 GTK) (8.50 KB, patch)
2004-07-22 19:44 UTC, Jesse Glick
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Jesse Glick 2004-07-22 19:37:19 UTC
It seems we need an API method to work around a
severe Swing bug in a common way. See issue #46014
for details.
Comment 1 Jesse Glick 2004-07-22 19:44:11 UTC
Created attachment 16397 [details]
Proposed addition to FileUtil, plus example of its application to the Open Project dialog (tested and functional in contrast to the unpatched Add Favorites dialog, tried on Linux under 1.4.2_04 Metal, 1.5.0 b58 Ocean, 1.5.0 b58 GTK)
Comment 2 Jesse Glick 2004-07-22 19:48:10 UTC
Note #1: might be necessary to have the method actually take a File
currentDirectory (optional, may be null), and if non-null wrap it
before setting it. Otherwise it seems that while you can select a
noncanonicalized symlink dir to open a project from, the persisted
default directory for the dialog gets set as a plain java.io.File on
the file chooser, causing the path to get "polluted" with an unwrapped
File temporarily, so that the dialog opens with the canonicalized
path. You can browse to the uncanonicalized path, so this is only a
minor annoyance.

Note #2: of course if and when the Swing bug is fixed, we can patch
the method to do nothing for fixed JREs; and when we take as a minimum
a JRE which already has the fix, we can just make the method do
nothing and deprecate it.

Note #3: I put the method into FileUtil rather than Utilities since it
does depend on the normalizeFile method and separation of openide
dictates that Utilities should not depend on FileUtil.
Comment 3 Jesse Glick 2004-07-30 22:20:22 UTC
No objections; I will commit it.
Comment 4 Jesse Glick 2004-07-30 23:32:56 UTC
committed   * Up-To-Date  1.152       openide/openide-spec-vers.properties
committed   * Up-To-Date  1.212      
openide/api/doc/changes/apichanges.xml
committed   * Up-To-Date  1.106      
openide/src/org/openide/filesystems/FileUtil.java


By use of this website, you agree to the NetBeans Policies and Terms of Use. © 2012, Oracle Corporation and/or its affiliates. Sponsored by Oracle logo