Re: [ginp-users] ginp issues
Brought to you by:
burchbri,
dougculnane
Menu
▾
▴
Re: [ginp-users] ginp issues
|
From: Justin <ju...@sq...> - 2005-02-26 05:00:30
|
Gleb,
I was refactoring some of the servlets and discovered some of the input
validation vulnerabilities you are talking about. They should be fixed
in the current 0.22 release. You should upgrade to the 0.22 security
fix as soon as possible. If you made no modifications to the war it's
as easy as dropping the new war in. Everything, including your config
should update automatically. The next release will focus on further
optimizations and some database driven features.
Doug and I were discussing adding some sort of classpath functionality
to seperate out customized styles. Perhaps a classpath element one
could specify in the config so that it would be easy to specify a
directory containing customized styles that lived outside of the war.
I'll have to investigate how the servlet container goes about finding
jsp page templates to load and whether they can be located outside the war.
Thanks for the feedback and comments.
Regards,
Justin
Gleb Starodubtsev wrote:
> Hi,
>
> Found GINP some time ago and after trying to add it to my application, got
> some quetions/proposals.
>
> Currently jsp pages for collection and picture are hardcoded in several
> classes, which definatelly makes it difficult to embedd ginp into existing
> application. As ginp Controller is made of servlet, why not to move this jsp
> locations into intit parameters or other config place?
>
> More of that, it would be really cool to have some base class for ginp
> controller and several extensions for different web application designs.
> Like one implementation (extension actually) for servlet, another for Struts
> Action ("forwards" are much more appreciated for jsp locations). This will
> make ginp more flexible as an extension framework. Actually I have had to
> hack your code with this changes to embedd this gallery into my Struts
> application but it is a bit dirty solution and will be really hard to
> maintain...
>
> Another question is about security fix stated for a 0.22 release. Could
> somebody provide some more details about this fix?
> I'm using version 0.21 and noticed that playing with "path" parameter of
> "selectpath" command could lead you far beyond the root collection's path,
> exposing directory structure on the file system (at least on Win).
>
> Regards,
> Gleb
>
>
>
> -------------------------------------------------------
> SF email is sponsored by - The IT Product Guide
> Read honest & candid reviews on hundreds of IT Products from real users.
> Discover which products truly live up to the hype. Start reading now.
> http://ads.osdn.com/?ad_id=6595&alloc_id=14396&op=click
> _______________________________________________
> ginp-users mailing list
> gin...@li...
> https://lists.sourceforge.net/lists/listinfo/ginp-users
|
