Name: jl125535 Date: 08/29/2003


A DESCRIPTION OF THE REQUEST :
This RFE requests new constructors to the java.io.File,
java.io.FileInput/Output/Stream and
java.io.FileReader/Writer classes that provide a root
directory parameter. The path parameter(s) would then be
taken relative to that root directory, such that use of
the directory traversal ".." path element cannot be used
to traverse up into the root directory path. This
behaviour is analagous to the unix/linus chroot()
function, except that it would apply only to the specific
constructor.

JUSTIFICATION :
People continue to build directory traversal
vulnerabilities into new software. This appears to be
because people are unaware of the issue, reimplement a
solution incorrectly, or apply the solution in the wrong
place (such as before %xx values are decoded).

The existence of these constructors would serve to
highlight the issue for developers, and their use would
obviate errors that occur when the solution is
reimplemented in each application that needs it.

(Incident Review ID: 179534)
======================================================================