Menu
▾
▴
Re: [Exist-development] Renaming the "lib" extension
|
From: James F. <jam...@gm...> - 2010-03-24 19:03:35
|
On Wed, Mar 24, 2010 at 7:53 PM, Dmitriy Shabanov <sha...@gm...> wrote:
> Hey,
>
> On Wed, 2010-03-24 at 19:46 +0100, Dannes Wessels wrote:
>> On Wed, Mar 24, 2010 at 7:23 PM, Dmitriy Shabanov <sha...@gm...> wrote:
>> > Do we speak about LibFunction? I don't see any security issue there, or
>> > I'm missing something?
>>
>> > Any scenario?
>>
>> The issue is fundamentally. A jar library is specified by a query,
>> that can live anywhere, even oustide the db. Basically all jar files
>> can be specified,
>> including those who you might not want to expose, e.g. private
>> libraries.
>
> ok, for now it hard-coded to
>
> private final static String LIB_WEBINF = "WEB-INF/lib/";
> private final static String[] LIB = {"./lib/core",
> "./lib/optional", "./lib/extensions", "./lib/user", "."};
>
> so, simples solution hardcode it jars mask like log4j-%latest%.jar too
> (src/org/exist/start/start.config can be used/reused)
>
> Will it solve this problem?
I would also like to have unit test(s) that asserts that it is not a
problem ... though admittedly there are other code 'hotspots'
(including code I am writing) where we need to test with respect to
security, this is probably as good a place to start as anywhere else.
Dont forget, its easy to add xquery level unit tests now as well aka
eXist/test/src/xquery
J
|
