Thread: [ginp-users] ginp issues
Brought to you by:
burchbri,
dougculnane
Menu
▾
▴
ginp-users
|
From: Gleb S. <gl...@ma...> - 2005-02-25 09:04:54
|
Hi,
Found GINP some time ago and after trying to add it to my application, got
some quetions/proposals.
Currently jsp pages for collection and picture are hardcoded in several
classes, which definatelly makes it difficult to embedd ginp into existing
application. As ginp Controller is made of servlet, why not to move this jsp
locations into intit parameters or other config place?
More of that, it would be really cool to have some base class for ginp
controller and several extensions for different web application designs.
Like one implementation (extension actually) for servlet, another for Struts
Action ("forwards" are much more appreciated for jsp locations). This will
make ginp more flexible as an extension framework. Actually I have had to
hack your code with this changes to embedd this gallery into my Struts
application but it is a bit dirty solution and will be really hard to
maintain...
Another question is about security fix stated for a 0.22 release. Could
somebody provide some more details about this fix?
I'm using version 0.21 and noticed that playing with "path" parameter of
"selectpath" command could lead you far beyond the root collection's path,
exposing directory structure on the file system (at least on Win).
Regards,
Gleb
|
|
From: Justin <ju...@sq...> - 2005-02-26 05:00:30
|
Gleb,
I was refactoring some of the servlets and discovered some of the input
validation vulnerabilities you are talking about. They should be fixed
in the current 0.22 release. You should upgrade to the 0.22 security
fix as soon as possible. If you made no modifications to the war it's
as easy as dropping the new war in. Everything, including your config
should update automatically. The next release will focus on further
optimizations and some database driven features.
Doug and I were discussing adding some sort of classpath functionality
to seperate out customized styles. Perhaps a classpath element one
could specify in the config so that it would be easy to specify a
directory containing customized styles that lived outside of the war.
I'll have to investigate how the servlet container goes about finding
jsp page templates to load and whether they can be located outside the war.
Thanks for the feedback and comments.
Regards,
Justin
Gleb Starodubtsev wrote:
> Hi,
>
> Found GINP some time ago and after trying to add it to my application, got
> some quetions/proposals.
>
> Currently jsp pages for collection and picture are hardcoded in several
> classes, which definatelly makes it difficult to embedd ginp into existing
> application. As ginp Controller is made of servlet, why not to move this jsp
> locations into intit parameters or other config place?
>
> More of that, it would be really cool to have some base class for ginp
> controller and several extensions for different web application designs.
> Like one implementation (extension actually) for servlet, another for Struts
> Action ("forwards" are much more appreciated for jsp locations). This will
> make ginp more flexible as an extension framework. Actually I have had to
> hack your code with this changes to embedd this gallery into my Struts
> application but it is a bit dirty solution and will be really hard to
> maintain...
>
> Another question is about security fix stated for a 0.22 release. Could
> somebody provide some more details about this fix?
> I'm using version 0.21 and noticed that playing with "path" parameter of
> "selectpath" command could lead you far beyond the root collection's path,
> exposing directory structure on the file system (at least on Win).
>
> Regards,
> Gleb
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> ginp-users mailing list
> gin...@li...
> https://lists.sourceforge.net/lists/listinfo/ginp-users
|
|
From: Doug C. <do...@cu...> - 2005-02-28 12:12:52
Attachments:
smime.p7s
|
Thanks for the Feedback Gleb.
I think we could add the hardcoded locations for the picture and
collection page to the ginp config xml file. These optional
declarations could override the defaults. I wanted to do this for the
thumbnail size(s) which are hardcoded as well.
Justin and I have been thinking about how to make it easier to plug the
ginp in to an existing site without too much merging of code and
config. We will give this more thought.
Do you have any Russian Translations for us?
Thanks again,
Doug
Justin wrote:
> Gleb,
>
> I was refactoring some of the servlets and discovered some of the
> input validation vulnerabilities you are talking about. They should
> be fixed in the current 0.22 release. You should upgrade to the 0.22
> security fix as soon as possible. If you made no modifications to
> the war it's as easy as dropping the new war in. Everything,
> including your config should update automatically. The next release
> will focus on further optimizations and some database driven features.
>
> Doug and I were discussing adding some sort of classpath
> functionality to seperate out customized styles. Perhaps a classpath
> element one could specify in the config so that it would be easy to
> specify a directory containing customized styles that lived outside of
> the war. I'll have to investigate how the servlet container goes about
> finding jsp page templates to load and whether they can be located
> outside the war.
>
> Thanks for the feedback and comments.
>
> Regards,
>
> Justin
>
>
> Gleb Starodubtsev wrote:
>
>> Hi,
>>
>> Found GINP some time ago and after trying to add it to my
>> application, got
>> some quetions/proposals.
>>
>> Currently jsp pages for collection and picture are hardcoded in several
>> classes, which definatelly makes it difficult to embedd ginp into
>> existing
>> application. As ginp Controller is made of servlet, why not to move
>> this jsp
>> locations into intit parameters or other config place?
>>
>> More of that, it would be really cool to have some base class for ginp
>> controller and several extensions for different web application designs.
>> Like one implementation (extension actually) for servlet, another for
>> Struts
>> Action ("forwards" are much more appreciated for jsp locations). This
>> will
>> make ginp more flexible as an extension framework. Actually I have
>> had to
>> hack your code with this changes to embedd this gallery into my Struts
>> application but it is a bit dirty solution and will be really hard to
>> maintain...
>>
>> Another question is about security fix stated for a 0.22 release. Could
>> somebody provide some more details about this fix?
>> I'm using version 0.21 and noticed that playing with "path" parameter of
>> "selectpath" command could lead you far beyond the root collection's
>> path,
>> exposing directory structure on the file system (at least on Win).
>>
>> Regards,
>> Gleb
>>
>>
>>
>> -------------------------------------------------------
>> SF email is sponsored by - The IT Product Guide
>> Read honest & candid reviews on hundreds of IT Products from real users.
>> Discover which products truly live up to the hype. Start reading now.
>> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
>> _______________________________________________
>> ginp-users mailing list
>> gin...@li...
>> https://lists.sourceforge.net/lists/listinfo/ginp-users
>
>
>
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> ginp-users mailing list
> gin...@li...
> https://lists.sourceforge.net/lists/listinfo/ginp-users
>
--
Doug Culnane
do...@cu...
www.culnane.net
|
|
From: Gleb S. <gl...@ma...> - 2005-02-28 19:34:56
Attachments:
Ginp_ru.properties
|
Hi guys,
Here is Russian resources file and some more comments...
In GinpEnv constructor you do:
public GinpEnv(HttpServletRequest req) throws MalformedURLException {
String reqUrl=req.getRequestURL().toString();
String cPath=req.getContextPath();
String rootUrl=reqUrl.substring(0,reqUrl.indexOf(cPath)+cPath.length());
if (rootUrl.indexOf(cPath)<=0) {
rootUrl+=cPath;
}
this.url=new URL(rootUrl);
}
Imagine that web application is configured without specific context path,
then cPath is "" and
=> rootUrl gets "" too => MalformedURLException
Consider something like:
public GinpEnv(HttpServletRequest req) throws MalformedURLException {
StringBuffer basePath = new StringBuffer();
basePath.append(req.getScheme()).append("://").append(req.getServerName());
int iPort = req.getServerPort();
//do not append generic HTTP ports
if ((iPort != 80) && (iPort != 443)) {
basePath.append(":").append(iPort);
}
basePath.append(req.getContextPath());
String rootUrl = basePath.toString();
System.out.println("rootUrl: " + rootUrl);
this.url = new URL(rootUrl);
}
And one more time, please consider adding two classes implementing Struts
Action interface. At least GalleryAction and PictureAction with content
similar to your servlets classes and forwards in correct places would
completely decouple ginp from any hardcoded locations without any config
changes...(for Struts users only though). So it would be possible to use
ginp as a jar library completely flexible to existing app.
Thanks for your work,
Gleb
|
|
From: Doug C. <do...@cu...> - 2005-02-28 20:16:28
Attachments:
smime.p7s
|
Thanks for the Properties file. I have committed it to the cvs
repository. Will add a flag in the w2k4 style later.
Thanks for your feedback. The struts Action interface implementation
idea sounds very interesting as an additional feature I will put it in
the ToDo list so it is not forgotten. I think I want to get the data
storage right before this gets done, but it sounds like a worthwhile
thing to investigate later.
Thank also for the patch which I think Justin will look at.
All the best,
Doug
Gleb Starodubtsev wrote:
>Hi guys,
>
>Here is Russian resources file and some more comments...
>
>In GinpEnv constructor you do:
>
>public GinpEnv(HttpServletRequest req) throws MalformedURLException {
> String reqUrl=req.getRequestURL().toString();
> String cPath=req.getContextPath();
> String rootUrl=reqUrl.substring(0,reqUrl.indexOf(cPath)+cPath.length());
> if (rootUrl.indexOf(cPath)<=0) {
> rootUrl+=cPath;
> }
> this.url=new URL(rootUrl);
>}
>
>Imagine that web application is configured without specific context path,
>then cPath is "" and
>=> rootUrl gets "" too => MalformedURLException
>
>Consider something like:
>
>public GinpEnv(HttpServletRequest req) throws MalformedURLException {
> StringBuffer basePath = new StringBuffer();
>
>basePath.append(req.getScheme()).append("://").append(req.getServerName());
> inPot iPort = req.getServerrt();
> //do not append generic HTTP ports
> if ((iPort != 80) && (iPort != 443)) {
> basePath.append(":").append(iPort);
> }
> basePath.append(req.getContextPath());
> String rootUrl = basePath.toString();
> System.out.println("rootUrl: " + rootUrl);
> this.url = new URL(rootUrl);
>}
>
>And one more time, please consider adding two classes implementing Struts
>Action interface. At least GalleryAction and PictureAction with content
>similar to your servlets classes and forwards in correct places would
>completely decouple ginp from any hardcoded locations without any config
>changes...(for Struts users only though). So it would be possible to use
>ginp as a jar library completely flexible to existing app.
>
>Thanks for your work,
>Gleb
>
>
>
>
>
--
Doug Culnane
do...@cu...
www.culnane.net
|
×
Want the latest updates on software, tech news, and AI?
Get latest updates about software, tech news, and AI from SourceForge directly in your inbox once a month.
Thanks for helping keep SourceForge clean.
X