geronimo-scm mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ga...@apache.org
Subject svn commit: r909475 - in /geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat: GeronimoStandardContext.java valve/ProtectedTargetValve.java
Date Fri, 12 Feb 2010 16:13:00 GMT
Author: gawor
Date: Fri Feb 12 16:13:00 2010
New Revision: 909475

URL: http://svn.apache.org/viewvc?rev=909475&view=rev
Log:
GERONIMO-4980, GERONIMO-5030: Make sure we are not serving files from OSGI-INF or OSGI-OPT
directories

Added:
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
  (with props)
Modified:
    geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java

Modified: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java?rev=909475&r1=909474&r2=909475&view=diff
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
(original)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/GeronimoStandardContext.java
Fri Feb 12 16:13:00 2010
@@ -57,6 +57,7 @@
 import org.apache.geronimo.tomcat.listener.RunAsInstanceListener;
 import org.apache.geronimo.tomcat.util.SecurityHolder;
 import org.apache.geronimo.tomcat.valve.GeronimoBeforeAfterValve;
+import org.apache.geronimo.tomcat.valve.ProtectedTargetValve;
 import org.apache.geronimo.webservices.POJOWebServiceServlet;
 import org.apache.geronimo.webservices.WebServiceContainer;
 import org.apache.geronimo.webservices.WebServiceContainerInvoker;
@@ -174,6 +175,8 @@
         //Set a UserTransactionBeforeAfter
         interceptor = new UserTransactionBeforeAfter(interceptor, index++, ctx.getUserTransaction());
 
+        addValve(new ProtectedTargetValve());
+        
         Valve clusteredValve = ctx.getClusteredValve();
         if (null != clusteredValve) {
             addValve(clusteredValve);

Added: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
URL: http://svn.apache.org/viewvc/geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java?rev=909475&view=auto
==============================================================================
--- geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
(added)
+++ geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
Fri Feb 12 16:13:00 2010
@@ -0,0 +1,64 @@
+/**
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.geronimo.tomcat.valve;
+
+import java.io.IOException;
+
+import javax.servlet.ServletException;
+import javax.servlet.http.HttpServletResponse;
+
+import org.apache.catalina.connector.Request;
+import org.apache.catalina.connector.Response;
+import org.apache.catalina.valves.ValveBase;
+import org.apache.tomcat.util.buf.MessageBytes;
+
+/**
+ * Valve that prevents access to OSGI-INF and OSGI-OPT directories.
+ * 
+ * @version $Rev$ $Date$
+ */
+public class ProtectedTargetValve extends ValveBase {
+    
+    public ProtectedTargetValve() {
+    }
+
+    public void invoke(Request request, Response response) throws IOException, ServletException
{
+        // Disallow any direct access to resources under OSGI-INF or OSGI-OPT
+        if (request != null) {
+            MessageBytes requestPathMB = request.getRequestPathMB();
+            if ((requestPathMB.startsWithIgnoreCase("/OSGI-INF/", 0))
+                    || (requestPathMB.equalsIgnoreCase("/OSGI-INF"))
+                    || (requestPathMB.startsWithIgnoreCase("/OSGI-OPT/", 0))
+                    || (requestPathMB.equalsIgnoreCase("/OSGI-OPT"))) {
+                notFound(response);
+                return;
+            }
+        }
+                     
+        getNext().invoke(request, response);        
+    }
+    
+    private void notFound(HttpServletResponse response) {
+        try {
+            response.sendError(HttpServletResponse.SC_NOT_FOUND);
+        } catch (IllegalStateException e) {
+            // Ignore
+        } catch (IOException e) {
+            // Ignore
+        }
+    }
+}

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
------------------------------------------------------------------------------
    svn:eol-style = native

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
------------------------------------------------------------------------------
    svn:keywords = Date Revision

Propchange: geronimo/server/trunk/plugins/tomcat/geronimo-tomcat7/src/main/java/org/apache/geronimo/tomcat/valve/ProtectedTargetValve.java
------------------------------------------------------------------------------
    svn:mime-type = text/plain



Mime
View raw message