Return-Path: <Harish.Prabandham@eng.sun.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 28427 invoked from network); 7 Nov 1999 19:33:05 -0000
Received: from mercury.sun.com (192.9.25.1)
  by apache.org with SMTP; 7 Nov 1999 19:33:05 -0000
Received: from shorter.eng.sun.com ([129.144.123.35])
	by mercury.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA13920
	for <tomcat-dev@jakarta.apache.org>; Sun, 7 Nov 1999 11:33:04 -0800 (PST)
Received: from shorter.eng.sun.com (taala [129.144.251.114])
	by shorter.eng.sun.com (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with ESMTP id LAA20748
	for <tomcat-dev@jakarta.apache.org>; Sun, 7 Nov 1999 11:33:03 -0800 (PST)
Sender: Harish.Prabandham@eng.sun.com
Message-ID: <3825DF60.CBE06E10@shorter.eng.sun.com>
Date: Sun, 07 Nov 1999 12:21:52 -0800
From: Harish Prabandham <Harish.Prabandham@eng.sun.com>
Reply-To: Harish.Prabandham@eng.sun.com
Organization: JavaSoftware, Sun Microsystems Inc.
X-Mailer: Mozilla 4.51 [en] (X11; I; Linux 2.2.5-15 i686)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
Subject: Re: DefaultServlet path checks
References: <19991028010424.25960.qmail@hyperreal.org>
 <3823A050.C8FCAD9D@gefionsoftware.com> <3824B149.D97EAE66@gefionsoftware.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit

Hi Hans,


A fix similar to this exists on the J2EE branch. Please do not commit
any changes to the branch.

Costin has merged the J2EE branch with the trunk, so this change
should be available there.... Could you check this out before you
commit your changes.


Thanx


Harish

Hans Bergsten wrote:

> I believe I've found a solution for checking the path in the DefaultServlet
> that works with both 8.3 and long file paths on Windows and symbolic links
> on Unix, and still catches all attempts to get to the source of JSP files
> or other extension mapped files. I have only tested this on Windows but I
> don't see why it shouldn't work on other platforms.
>
> The solution is to always check for ".." and then only compare the file
> extension part of the URI with with the file extension from the canonical
> path. As far as I can tell, that's the only part we need to worry about
> since that's where extra characters or mixed case can fool the container
> to dispatch to DefaultServlet instead of a servlet mapped to the file
> extension. Mixed case in the path itself doesn't really matter; on a case
> sensitive platform the file will not be found, on a case insensitive it
> will be found but that's okay as long as we catch tricks with the extension
> part.
>
> Please take a look at this version of the serveFile() method. If everyone
> is happy with it, I will commit it to both the J2EE branch and the main
> branch.
>
>     private void serveFile(File file, HttpServletRequest request,
>         HttpServletResponse response) throws IOException {
>
>         String absPath = file.getAbsolutePath();
>             String canPath = file.getCanonicalPath();
>                 if(absPath.indexOf("..") != -1) {
>                         // We have .. in the path...
>                 response.sendError(response.SC_NOT_FOUND,
>                     "File Not Found:<br>" + absPath);
>                 return;
>                 }
>
>         // Compare the file extension part of the requested name
>         // with the "real" extension, to catch attempts to read
>         // shtml or jsp source by adding characters or using mixed
>         // case extension on Windows platforms
>         String reqExt = absPath;
>         int dot = absPath.lastIndexOf('.');
>         if (dot != -1 && dot < absPath.length() - 1) {
>             reqExt = absPath.substring(dot + 1);
>         }
>         String canExt = canPath;
>         dot = canPath.lastIndexOf('.');
>         if (dot != -1 && dot < canPath.length() - 1) {
>             canExt = canPath.substring(dot + 1);
>         }
>         if (!canExt.equals(reqExt)) {
>                 response.sendError(response.SC_NOT_FOUND,
>                     "File Not Found:<br>" + absPath);
>                 return;
>         }
>
>         String mimeType = mimeTypes.getContentTypeFor(file.getName());
>
>         if (mimeType == null) {
>             mimeType = "text/plain";
>         }
>
>         response.setContentType(mimeType);
>         response.setContentLength((int)file.length());
>         response.setDateHeader("Last-Modified", file.lastModified());
>
>         FileInputStream in = new FileInputStream(file);
>
>         try {
>             serveStream(in, request, response);
>         } catch (FileNotFoundException e) {
>             // Figure out what we're serving
>
>             String requestURI = (String)request.getAttribute(
>                 Constants.Attribute.RequestURI);
>
>             if (requestURI == null) {
>                 requestURI = request.getRequestURI();
>             }
>
>             response.sendError(response.SC_NOT_FOUND,
>                     "File Not Found<br>" + requestURI);
>         } catch (SocketException e) {
>             return;  // munch
>         } finally {
>             if (in != null) {
>                 in.close();
>             }
>         }
>     }
>
> --
> Hans Bergsten           hans@gefionsoftware.com
> Gefion Software         http://www.gefionsoftware.com
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org