[kaffe] fastjar security issue

Dalibor Topic robilad at kaffe.org
Mon Mar 27 16:42:08 PST 2006


On Tue, 2006-03-28 at 02:28 +0200, Dalibor Topic wrote:

> Thanks! I'd recommend using realpath or canonicalize_file_name, if
> available, to do the canonicalisation, rather than writing one's own
> function, though. See
> http://www.gnu.org/software/libc/manual/html_node/Symbolic-Links.html#Symbolic-Links
> for a description. 
> 
> I guess you could then simply chop the first char off if it is a file
> separator. I am not sure what the POSIX-y way to find out the file
> separator char/string is, though.
> 
> Just slashing '/'s may not work so well on systems where '\' is the
> directory separator, like win32. So I'd recommend going with realpath or
> canonicalize_filename.

Turns out that joerg already thought about it and recommends against it:
http://article.gmane.org/gmane.os.netbsd.devel.packages/24746/match=netbsd+fastjar

so yeah, please go ahead and check it in.

cheers,
dalibor topic





More information about the kaffe mailing list