Mercurial Mercurial > hg > stx-libbasic / diff
summary | shortlog | changelog | graph | tags | bookmarks | branches | files | changeset | file | latest | revisions | annotate | diff | comparison | raw | help
Find changesets by keywords (author, files, the commit message), revision number or hash, or revset expression.
Filename.st
changeset 22927 6dab5d9ece9d
parent 22850 611e4d3c238b
child 22939 9ec13a913fa8 
--- a/Filename.st	Mon May 14 21:38:54 2018 +0200
+++ b/Filename.st	Mon May 14 22:25:09 2018 +0200
@@ -4441,7 +4441,9 @@
      See also: #withSuffix: (which is different, but often needed).
 
      This method differs from #construct:, by not permitting subName
-     to navigate above (via ..) the current filename."
+     to navigate above the current filename (via '..') and is used eg.
+     by the documentation viewer and other services to prevent remote
+     access outside some predefined root folder."
 
     ^ self species named:(self secureConstructString:subname)
 
@@ -4467,11 +4469,13 @@
      filename-string for an entry within this directory
      (i.e. for a file or a subdirectory in that directory).
 
-     This method differs from #constructString, by not permitting subName
-     to navigate above (via ..) the current filename.
+     This method differs from #constructString:, by not permitting subName
+     to navigate above the current filename (via '..') and is used eg.
+     by the documentation viewer and other services to prevent remote
+     access outside some predefined root folder.
 
      The code below works for UNIX & MSDOS;
-     other filename classes (i.e. VMS) may want to redefine this method."
+     other filename classes (i.e. VMS) have to redefine this method."
 
     |sepString sub normalizedPath pathStream|
 
@@ -4481,23 +4485,23 @@
     sub := sub asCollectionOfSubstringsSeparatedByAll:sepString.
     normalizedPath := OrderedCollection new:sub size.
     sub do:[:eachPathComponent|
-	eachPathComponent = '..' ifTrue:[
-	    normalizedPath isEmpty ifTrue:[
-		self error:'secureConstruct: - trying to escape from: ', nameString.
-	    ].
-	    normalizedPath removeLast.
-	] ifFalse:[(eachPathComponent notEmpty and:[eachPathComponent ~= '.']) ifTrue:[
-	    normalizedPath add:eachPathComponent.
-	]]
+        eachPathComponent = '..' ifTrue:[
+            normalizedPath isEmpty ifTrue:[
+                self error:'secureConstruct: - trying to escape from: ', nameString.
+            ].
+            normalizedPath removeLast.
+        ] ifFalse:[(eachPathComponent notEmpty and:[eachPathComponent ~= '.']) ifTrue:[
+            normalizedPath add:eachPathComponent.
+        ]]
     ].
     pathStream := CharacterWriteStream with:nameString.
     (nameString notEmpty and:[(nameString endsWith:sepString) not]) ifTrue:[
-	pathStream nextPutAll:sepString.
+        pathStream nextPutAll:sepString.
     ].
     normalizedPath do:[:eachPathComponent|
-	pathStream nextPutAll:eachPathComponent.
+        pathStream nextPutAll:eachPathComponent.
     ] separatedBy:[
-	pathStream nextPutAll:sepString.
+        pathStream nextPutAll:sepString.
     ].
 
     ^ pathStream contents.
hg/stx-libbasic