[rfc][icedtea-web] u51 classpath manifest entry implementation
Omair Majid
omajid at redhat.com
Mon Mar 31 20:18:15 UTC 2014
* Jiri Vanek <jvanek at redhat.com> [2014-03-31 15:45]:
> On 03/31/2014 09:29 PM, Omair Majid wrote:
> >Sorry for spotting this so late, but I think creating regular
> >expressions by string concatenation without sanitizing the input string
> >is a bad idea. Just like SQL-injection, this allows users to craft
> >special strings that contain \Q and \E to bypass/workaround our checks
> >and restrictions.
>
> like this? (as atatched)
Yes, this looks much better. Thanks for the quick fix.
> diff -r dc0a77856cb4 netx/net/sourceforge/jnlp/util/ClasspathMatcher.java
> --- a/netx/net/sourceforge/jnlp/util/ClasspathMatcher.java Mon Mar 31 13:27:48 2014 -0400
> +++ b/netx/net/sourceforge/jnlp/util/ClasspathMatcher.java Mon Mar 31 21:44:30 2014 +0200
> @@ -318,22 +318,20 @@
> }
> /*
> * coment for lazybones:
> - * \Q is start of citation
> - * \E is end of citation
> - * - all characters in citation are threated as are without any special meaning
> + * Pattern.quote - all characters in citation are threated as are without any special meaning
s/threat/treat/
> * ^ is start of th e line
> * $ is end of the line
> */
\Q and \E are uncommon enough that adding a comment to clarify that was
probably okay. But now this comment really doesn't do much. I recommend
removing it.
Looks good otherwise.
Thanks,
Omair
--
PGP Key: 66484681 (http://pgp.mit.edu/)
Fingerprint = F072 555B 0A17 3957 4E95 0056 F286 F14F 6648 4681
More information about the distro-pkg-dev
mailing list