And now start claping Oracle introduce in the Oracle Reports 11g (Part of the Oracle Fusion Middleware 11g) a new Configuration Element <folderAccess> with which we can limit the read and write access for the Reports Server :-) Cool ...
The <folderAccess> Element can be defined in the $DOMAIN_NAME/servers/WLS_REPORTS/stage/reports/reports/configuration/rwserver.conf Configuration File for In-Process Servers or in the $ORACLE_INSTANCE/config/ReportsServerComponent/<reports_name>/rwserver.conf Configuration File for Standalone Reports Servers:
With the Sub-Element <read> we can define to which directories the Reports Server got read access (multiple directories can be added separated with a semicolon) and the most important Sub-Element <write> defines to which directories the Reports Server got write access (multiple directories can be added separated with a semicolon). So an Oracle Reports Call with the option destype=file and desname=<target_output_dir> can only write output files to the defined write-Directory: no chance to damage other files outside this directory :-)
So, that's really a good reason to move to Oracle Reports 11g
<folderAccess> <read>/u01/applications/demoapp/reports</read> <write>/u01/applications/reports_output</write> </folderAccess>
With the Sub-Element <read> we can define to which directories the Reports Server got read access (multiple directories can be added separated with a semicolon) and the most important Sub-Element <write> defines to which directories the Reports Server got write access (multiple directories can be added separated with a semicolon). So an Oracle Reports Call with the option destype=file and desname=<target_output_dir> can only write output files to the defined write-Directory: no chance to damage other files outside this directory :-)
So, that's really a good reason to move to Oracle Reports 11g