Re: [Soaplab-users] output files not definable on command line

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

> > I had a similar problem when i was integrating one application to
> > Soaplab. I used the 'default' attribute of the outfile options to
> > specify the name of the output file my application was expecting. This
> > worked well however i also needed to add a new check in the getFileName
> > method of the IOData class for checking whether the output has a default
> > file name and it is secure to use.

> I will test this.

Don't forget to add the following check as the first sentence in the
getFileName method of IOData class.

        if (StringUtils.isNotBlank(paramDef.dflt) && !
        paramDef.dflt.startsWith(File.separator))
                    return paramDef.dflt;

It includes an attempt to prevent use of absolute paths but the current
version will not work on windows platform. It should probably be safer
if the check also fails when the file name starts with a reference to
parent directories "..".

Mahmut