Index: src/main/org/jboss/webservice/server/InvokerProvider.java
===================================================================
RCS file: /cvsroot/jboss/webservice/src/main/org/jboss/webservice/server/InvokerProvider.java,v
retrieving revision 1.20.2.5
diff -u -r1.20.2.5 InvokerProvider.java
--- src/main/org/jboss/webservice/server/InvokerProvider.java	2 Mar 2005 14:32:32 -0000	1.20.2.5
+++ src/main/org/jboss/webservice/server/InvokerProvider.java	14 Mar 2005 22:16:57 -0000
@@ -44,6 +44,9 @@
 import java.util.Arrays;
 import java.util.HashMap;
 import java.util.HashSet;
+import java.util.Iterator;
+import java.util.List;
+import java.util.StringTokenizer;
 
 /**
  * An RPC provider base that provides access to some
@@ -286,11 +289,17 @@
                   if (isAbsolute == false && orgLocation.startsWith(requestURI) == false)
                   {
                      String newResourcePath = orgLocation;
-                     //Bug Fix: [ 1041622 ] invalid schemaLocation generated for imported schema
-                     //Added the new check   && !orgLocation.startsWith("../")
-                     if (resourcePath != null && resourcePath.indexOf("/") > 0
-                             && !orgLocation.startsWith("../"))
-                        newResourcePath = resourcePath.substring(0, resourcePath.indexOf("/") + 1) + orgLocation;
+                     // JBWS-153
+                     if (resourcePath != null && resourcePath.indexOf("/") > 0)
+                     {
+                        newResourcePath = resourcePath.substring(0, resourcePath.lastIndexOf("/") + 1) + orgLocation;
+                     }
+                     
+                     newResourcePath = canonicalize(newResourcePath);
+                     if (newResourcePath.startsWith("../"))
+                     {
+                        throw new SecurityException("Cannot access a resource below the wsdl root: " + newResourcePath);
+                     }
 
                      String newLocation = requestURI + "?wsdl&resource=" + newResourcePath;
                      locationAttr.setNodeValue(newLocation);
@@ -308,6 +317,41 @@
    }
 
    /**
+    * Canonicalizes a path, removing .. and . references.
+    */
+   private String canonicalize(String path)
+   {
+      StringTokenizer tok = new StringTokenizer(path, "/");
+      List parts = new ArrayList();
+      while (tok.hasMoreTokens())
+      {
+         String t = tok.nextToken();
+         if (".".equals(t))
+         {
+            // do nothing
+         }
+         else if ("..".equals(t) && parts.size() > 0)
+         {
+            // pop off the last one
+            parts.remove(parts.size() - 1);
+         }
+         else
+         {
+            parts.add(t);
+         }
+      }
+
+      StringBuffer ret = new StringBuffer();
+      for (Iterator iter = parts.iterator(); iter.hasNext();)
+      {
+         ret.append((String) iter.next());
+         if (iter.hasNext())
+            ret.append('/');
+      }
+      return ret.toString();
+   }
+   
+   /**
     * Returns the Class info about the service class.
     */
    protected Class getServiceClass(String clsName, SOAPService service, MessageContext msgContext)