Juan Hernandez has posted comments on this change. Change subject: core: Use file servlet to serve documentation ......................................................................
Patch Set 2: (1 inline comment) .................................................... File backend/manager/modules/root/src/main/java/org/ovirt/engine/core/FileServlet.java Line 109: We would like to use existing and well tested technology, like the default servlet in JBoss AS, but we can't because it doesn't support content outside the application archive. In order to serve that content we used symlinks in the past, but that doesn't work with AS 7 (and symlinks aren't that good solution either). The base directory is specified in the configuration, see the "init" method. The requested file path can't be calculated as "request.getPathInfo()" as that contains only the part of the URL after the servlet path, not the complete file path. It has to be calculated as the base directory plus the path from "request.getPathInfo()". It is right that the "requestedFile.getCanonicalPath()" removes the "." and ".." characters, but we don't want to remove them, we want to reject any request that contains them. The legitimate requests for the files that we use in oVirt doesn't contain these characters, so I think it is better to just reject them. If we compare the requested path with the canonical path then symlinks won't work, and that was one of the reasons to use this servlet on the first place. I think that we don't need those symlinks any longer, so I think that we can apply this suggestion. We checked the servlet using this tool, and it didn't discover any flaw: http://dotdotpwn.blogspot.de -- To view, visit http://gerrit.ovirt.org/5727 To unsubscribe, visit http://gerrit.ovirt.org/settings Gerrit-MessageType: comment Gerrit-Change-Id: I7c182b2e67c5598589ac528ed40f930ccf7c0de8 Gerrit-PatchSet: 2 Gerrit-Project: ovirt-engine Gerrit-Branch: master Gerrit-Owner: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Einav Cohen <eco...@redhat.com> Gerrit-Reviewer: Juan Hernandez <juan.hernan...@redhat.com> Gerrit-Reviewer: Moran Goldboim <mgold...@redhat.com> Gerrit-Reviewer: Ofer Schreiber <oschr...@redhat.com> Gerrit-Reviewer: Vojtech Szocs <vsz...@redhat.com> _______________________________________________ Engine-patches mailing list Engine-patches@ovirt.org http://lists.ovirt.org/mailman/listinfo/engine-patches
