Relative Message Bundle URLs from the GadgetXML directory are not accepted anymore

In version 1.0 you could add message bundles with a relative path from the gadget xml directory like this:

<Locale messages="local/en_ALL.xml"/>

This is not possible anymore in the current trunk. The following patch takes the implementation out of 1.0 and ports it to the current trunk. Additionally there is a regex check on the relative url, so that it is not possible to request resources outside of the gadget directory.

Index: php/src/gadgets/GadgetFactory.php
===================================================================
200a200,216
> $parsedUri = parse_url($locale['messages']);
> if (empty($parsedUri['host'])) {
> // relative path's in the locale spec uri
> // check against valid chars so that we can make sure that the given
> // relative url is valid and does not try to fetch files outside of
> // gadget scope (e.g. /../../../usr/bin... )
> $pattern = '%^(([a-zA-Z0-9\-_](?<!\.))

{1,2}

([a-zA-Z0-9\.\-_](?<!\.\.))*/?)+$%';
> if (preg_match($pattern, $locale['messages']))

{ > $gadgetUrl = $this->context->getUrl(); > $gadgetUrl = substr($gadgetUrl, 0, strrpos($gadgetUrl, '/') + 1); > $locale['messages'] = $gadgetUrl . str_replace('..', '', $locale['messages']); > }

else

{ > // remove any locales that are not applicable to this context > unset($gadget->gadgetSpec->locales[$key]); > continue; > }

> }