ant-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Bodewig <bode...@apache.org>
Subject Re: FileUtils.normalize/isLeadingPath have bitten me
Date Tue, 03 Jul 2018 16:35:09 GMT
On 2018-07-03, Jaikiran Pai wrote:

> I did some testing manually for this new method, with both symlinks
> and non-symlinks with both the string check version and the
> getParent() version. In both of those, I couldn't get it to break in
> any odd ways (which is a good thing). It also means that my theory
> that the string comparison may not always be a best idea is just
> theoretical. However, I just feel a bit more comfortable seeing the
> getParent() version since that then removes any kind of file separator
> or odd backslash/frontslash permutations that we may not have thought
> of and instead leaves it to the JRE implementation to deal with
> it. Again, this is me being a bit paranoid than any real demoable
> issue with the string comparison code.

I welcome paranoia in particular if security is involved. :-)

> At this point, I think these commits address the issue that we sought
> out to fix. So unless someone else sees any issues, I think we can go
> ahead and do the release that you had planned for.

Thanks. I'll let it sit for a bit longer and will cut release candidates
later the coming days.

Stefan

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@ant.apache.org
For additional commands, e-mail: dev-help@ant.apache.org


Mime
View raw message