struts-user mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Max Cooper" <...@maxcooper.com>
Subject Re: accessing file outside virtual directory
Date Fri, 11 Apr 2003 10:22:10 GMT
It isn't totally clear what you want to do.

But if you want to allow a user to make a request to your app server for a
particular file that is outside the web app's directory, you can create an
Action to send it back to the user. Securing this action is much better than
copying it to a directory the server can serve from, since anyone can
probably get the file while it is there, even if you delete it later.

Here's an Action that will send the any file from /var/log to the user
requesting it. This isn't very safe, either, since they could request the
file ../../etc/passwd to get your password file. Request URLs would be
something like /contextPath/varLogAction.do?file=httpd. I haven't tested
this, but something along these lines should work:

public class VarLogAction extends Action {
   public static final String BASE_DIR = "/var/log";
   private static final int BUFFER_SIZE = 1000;
   public ActionForward perform(
      ActionMapping mapping,
      ActionForm form,
      HttpServletRequest request,
      HttpServletResponse response
   ) throws IOException, ServletException {
      response.setContentType("text/plain");
      File file = new File(BASE_DIR + File.separator +
request.getParameter("file"));
      response.setContentLength((int) file.length());
      BufferedReader fileReader = new BufferedReader(new FileReader(file));
      Writer responseWriter = response.getWriter();
      int length = 0;
      char[] buffer = new char[BUFFER_SIZE];
      while (fileReader.ready()) {
         length += fileReader.read(buffer, length, BUFFER_SIZE);
         responseWriter.write(buffer);
      }
      response.flushBuffer();
      return null;
   }
}

Like I said, it is rather dangerous to allow people to request any file they
want (watch out for UTF encodings on the file values, too). You might want
to allow just a few values for the file attribute, and create a File to read
with something like new File("/var/log/httpd") in the case that it matches
one of the few files you allow them to read. The elimintes the possibility
that the file parameter value itself is used to generate the filename.

A path like "/var/log" hard-coded into the servlet also couples your app to
the execution environment, so it might be a good idea to allow that value to
be configured at deployment time somehow.

-Max

----- Original Message -----
From: "Beast" <beast@setuid.com>
To: <struts-user@jakarta.apache.org>
Sent: Friday, April 11, 2003 3:34 PM
Subject: oot: accessing file outside virtual directory


> Hello,
>
> It may not directly struts issue, but i'll ask anyway.
> is there any way accessing file outside http virtual directory (such as
> /var/log/*)? user should able to view/download those files.
> right now im copying to tempororary directory (inside web server virtual
> dir) so user can download then delete it again (for security issue). this
> work but slow for large file ( > 10 MB).
>
> Tks.
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: struts-user-help@jakarta.apache.org
>
>


---------------------------------------------------------------------
To unsubscribe, e-mail: struts-user-unsubscribe@jakarta.apache.org
For additional commands, e-mail: struts-user-help@jakarta.apache.org


Mime
View raw message