[rfc][icedtea-web] u51 classpath manifest entry implementation
Omair Majid
omajid at redhat.com
Mon Mar 31 19:29:46 UTC 2014
* Jiri Vanek <jvanek at redhat.com> [2014-02-05 13:16]:
> So here is first impelmentation of more complex D-I-D manifest attributes:
> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html
>
> the codebase
>
> http://docs.oracle.com/javase/7/docs/technotes/guides/jweb/manifest.html#codebase
>
> The classapth matcher is quite complex, as its going to be reused in
> Application-Library-Allowable-Codebase and Caller-Allowable-Codebase Attribute
> + if (s.startsWith("*") && s.endsWith("*")) {
> + return "^.*\\Q" + s.substring(1, s.length() - 1) + "\\E.*$";
> + } else if (s.endsWith("*")) {
> + return "^\\Q" + s.substring(0, s.length() - 1) + "\\E.*$";
> +
> + } else if (s.startsWith("*")) {
> + return "^.*\\Q" + s.substring(1) + "\\E$";
> +
> + } else {
> + return "^\\Q" + s + "\\E$";
> + }
Sorry for spotting this so late, but I think creating regular
expressions by string concatenation without sanitizing the input string
is a bad idea. Just like SQL-injection, this allows users to craft
special strings that contain \Q and \E to bypass/workaround our checks
and restrictions.
Please use Pattern.quote [1].
Thanks,
Omair
[1] http://docs.oracle.com/javase/6/docs/api/java/util/regex/Pattern.html#quote(java.lang.String)
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list