tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From hari...@hyperreal.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core DefaultServlet.java
Date Sat, 30 Oct 1999 19:00:21 GMT
harishp     99/10/30 12:00:20

  Modified:    src/share/org/apache/tomcat/core Tag: TOMCAT_J2EE_10F_102199
                        DefaultServlet.java
  Log:
  Fixed the serveDir method to traverse the symbolic links and ignore
  .. in the request path...
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.3.2.6   +27 -7     jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
  retrieving revision 1.3.2.5
  retrieving revision 1.3.2.6
  diff -u -r1.3.2.5 -r1.3.2.6
  --- DefaultServlet.java	1999/10/30 18:11:01	1.3.2.5
  +++ DefaultServlet.java	1999/10/30 19:00:18	1.3.2.6
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.3.2.5 1999/10/30 18:11:01 harishp Exp $
  - * $Revision: 1.3.2.5 $
  - * $Date: 1999/10/30 18:11:01 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/DefaultServlet.java,v
1.3.2.6 1999/10/30 19:00:18 harishp Exp $
  + * $Revision: 1.3.2.6 $
  + * $Date: 1999/10/30 19:00:18 $
    *
    * ====================================================================
    *
  @@ -511,12 +511,32 @@
   
           absPath = FilePathUtil.patch(absPath);
   
  -	if (! absPath.equals(canPath)) {
  -	    response.sendError(response.SC_NOT_FOUND);
  +	if (File.separatorChar  == '\\') { 
  +		// On Windows check ignore case....
  +		if(!absPath.equalsIgnoreCase(canPath)) {
  +		    response.sendError(response.SC_NOT_FOUND);
  +		    return;
  +		}
  +	} else {
  +		// The following code on Non Windows disallows ../ 
  +		// in the path but also disallows symlinks.... 
  +		// 
  +		// if(!absPath.equals(canPath)) {
  +	    	// response.sendError(response.SC_NOT_FOUND);
  +	    	// return;
  +		// }
  +		// instead lets look for ".." in the absolute path
  +		// and disallow only that. 
  +		// Why should we loose out on symbolic links?
  +		//
   
  -	    return;
  +		if(absPath.indexOf("..") != -1) {
  +		    // We have .. in the path...
  +		    response.sendError(response.SC_NOT_FOUND);
  +		    return;
  +		}
   	}
  -	
  +
   	Vector dirs = new Vector();
   	Vector files = new Vector();
   	String[] fileNames = file.list();
  
  
  

Mime
View raw message