tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From jhun...@hyperreal.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java
Date Tue, 19 Oct 1999 06:45:05 GMT
jhunter     99/10/18 23:45:04

  Modified:    src/share/org/apache/tomcat/core DefaultServlet.java
  Log:
  Improved comments surrounding absPath/canPath check to enumerate known
  security concerns.
  
  Revision  Changes    Path
  1.3       +8 -7      jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- DefaultServlet.java	1999/10/15 00:34:30	1.2
  +++ DefaultServlet.java	1999/10/19 06:45:03	1.3
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.2 1999/10/15 00:34:30 akv Exp $
  - * $Revision: 1.2 $
  - * $Date: 1999/10/15 00:34:30 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.3 1999/10/19 06:45:03 jhunter Exp $
  + * $Revision: 1.3 $
  + * $Date: 1999/10/19 06:45:03 $
    *
    * ====================================================================
    *
  @@ -338,10 +338,6 @@
       private void serveFile(File file, HttpServletRequest request,
           HttpServletResponse response)
       throws IOException {
  -	// Make sure that x.jsp and x.jsp. is different
  -	// Make sure that x.Jsp and x.jsp trigger a 404
  -	// Make sure that x.jsp%20 triggers a 404.	
  -	// Make sure that we don't let ../'s through
   
   	String absPath = file.getAbsolutePath();
   	String canPath = file.getCanonicalPath();
  @@ -351,6 +347,11 @@
   
           absPath = FilePathUtil.patch(absPath);
   
  +        // This absPath/canPath comparison plugs security holes...
  +	// On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20" 
  +        // return 404 instead of the JSP source
  +	// On all platforms, makes sure we don't let ../'s through
  +        // Unfortunately, on Unix, it prevents symlinks from working
   	if (! absPath.equals(canPath)) {
   	    response.sendError(response.SC_NOT_FOUND);
   
  
  
  

Mime
View raw message