How does org.zkoss.zkmax.au.http.AuDownloader ensure that an attacker can't use it to access an arbitrary file on the server?

XMLWordPrintable

    • Type: Bug
    • Resolution: Unresolved
    • Priority: Minor
    • None
    • Affects Version/s: 6.5.2
    • Component/s: ZK Update Engine
    • None
    • Environment:

      production

    • None

      AuDownloader uses new File(path) and new URL(path) but it's unclear whether the paths are sanitized somewhere to prevent a remote attacker from accessing any resource on the server (or even attacking different servers by using a global URL)

            Assignee:
            Unassigned
            Reporter:
            stevegreensill
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: