Uploaded image for project: 'ZK'
  1. ZK
  2. ZK-1742

How does org.zkoss.zkmax.au.http.AuDownloader ensure that an attacker can't use it to access an arbitrary file on the server?

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: Open
    • Priority: Minor
    • Resolution: Unresolved
    • Affects Version/s: 6.5.2
    • Fix Version/s: None
    • Component/s: ZK Update Engine
    • Labels:
      None
    • Environment:

      production

      Description

      AuDownloader uses new File(path) and new URL(path) but it's unclear whether the paths are sanitized somewhere to prevent a remote attacker from accessing any resource on the server (or even attacking different servers by using a global URL)

        Attachments

          Activity

            People

            Assignee:
            Unassigned Unassigned
            Reporter:
            stevegreensill stevegreensill
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

              Dates

              Created:
              Updated: