tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hari...@hyperreal.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java
Date Sat, 30 Oct 1999 18:11:07 GMT
harishp     99/10/30 11:11:03

  Modified:    src/share/org/apache/tomcat/core Tag: TOMCAT_J2EE_10F_102199
                        DefaultServlet.java
  Log:
  A better fix...
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.3.2.5   +27 -7     jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
  retrieving revision 1.3.2.4
  retrieving revision 1.3.2.5
  diff -u -r1.3.2.4 -r1.3.2.5
  --- DefaultServlet.java	1999/10/30 05:36:22	1.3.2.4
  +++ DefaultServlet.java	1999/10/30 18:11:01	1.3.2.5
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.3.2.4 1999/10/30 05:36:22 gonzo Exp $
  - * $Revision: 1.3.2.4 $
  - * $Date: 1999/10/30 05:36:22 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.3.2.5 1999/10/30 18:11:01 harishp Exp $
  + * $Revision: 1.3.2.5 $
  + * $Date: 1999/10/30 18:11:01 $
    *
    * ====================================================================
    *
  @@ -358,10 +358,30 @@
           // Unfortunately, on Unix, it prevents symlinks from working
   	// So, a check for File.separatorChar='\\' ..... It hopefully
   	// happens on flavors of Windows.
  -	if ( (File.separatorChar  == '\\') && (!absPath.equals(canPath)) ) {
  -	    response.sendError(response.SC_NOT_FOUND);
  -
  -	    return;
  +	if (File.separatorChar  == '\\') { 
  +		// On Windows check ignore case....
  +		if(!absPath.equalsIgnoreCase(canPath)) {
  +	    	response.sendError(response.SC_NOT_FOUND);
  +	    	return;
  +		}
  +	} else {
  +		// The following code on Non Windows disallows ../ 
  +		// in the path but also disallows symlinks.... 
  +		// 
  +		// if(!absPath.equals(canPath)) {
  +	    	// response.sendError(response.SC_NOT_FOUND);
  +	    	// return;
  +		// }
  +		// instead lets look for ".." in the absolute path
  +		// and disallow only that. 
  +		// Why should we loose out on symbolic links?
  +		//
  +
  +		if(absPath.indexOf("..") != -1) {
  +			// We have .. in the path...
  +	    	response.sendError(response.SC_NOT_FOUND);
  +	    	return;
  +		}
   	}
   
   	String mimeType = mimeTypes.getContentTypeFor(file.getName());
  
  
  

Mime
View raw message