tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <..@almery.com>
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java
Date Tue, 19 Oct 1999 20:04:15 GMT
Hi,

There is another place in DefaultServlet.java which performs this same 
test, in the serveDir directory.

Here's a patch which will put the same comment before this test, too.

It looks like some refactoring will ultimately be necessary.

Index: DefaultServlet.java
===================================================================
RCS file:
/home/cvspublic/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultSer
vlet.java,v
retrieving revision 1.3
diff -u -r1.3 DefaultServlet.java
--- DefaultServlet.java 1999/10/19 06:45:03     1.3
+++ DefaultServlet.java 1999/10/19 20:11:49
@@ -352,6 +352,7 @@
         // return 404 instead of the JSP source
        // On all platforms, makes sure we don't let ../'s through
         // Unfortunately, on Unix, it prevents symlinks from working
+
        if (! absPath.equals(canPath)) {
            response.sendError(response.SC_NOT_FOUND);

@@ -480,8 +481,11 @@
        String absPath = file.getAbsolutePath();
        String canPath = file.getCanonicalPath();

-        // take care of File.getAbsolutePath() troubles on
-        // jdk1.1.x/win
+        // This absPath/canPath comparison plugs security holes...
+       // On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20"
+        // return 404 instead of the JSP source
+       // On all platforms, makes sure we don't let ../'s through
+        // Unfortunately, on Unix, it prevents symlinks from working

         absPath = FilePathUtil.patch(absPath);

-- 
Jay Doane | vivid studios | doane@vivid.com

Mime
View raw message