tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <Craig.McClana...@eng.sun.com>
Subject Re: relative path doesn't accept ../ for the context path
Date Sat, 17 Jun 2000 01:29:16 GMT
I believe that the change to DefaultServlet that I just checked in fixes this problem, without
introducing any new security holes.  The change was to have DefaultServlet ask the context
for the absolute path to the document root, rather than the document
root itself.

Please help me validate the belief that no security hole was introduced.

Craig


Larry Isaacs wrote:

> Some code in the serveFile() method of org.apache.tomcat.servlets.DefaultServlet doesn't
allow ".." in the path for security reasons.  Unfortunately, I think the ".." gets stored
in your docBase setting, causing serveFile() to "Error 404" everything.
>
> Larry
>
> -----Original Message-----
> From: Thomas Laroche [mailto:Thomas.Laroche@supaero.fr]
> Sent: Friday, June 16, 2000 1:04 PM
> To: tomcat-dev@jakarta.apache.org
> Subject: relative path doesn't accept ../ for the context path
>
> Hello,
>
> Trying to set up tomcat (conf/server.xml), I faced the following problem.
> I defined a context path containing ../ and it wasn't recognized (Error
> 404).
>
>         <Context path="" docBase="../myAppl" debug="0" reloadable="true">
>         </Context>
>
> No problem, it works with absolute path or relative path without .. !
>
> I hope you can fix this (I suppose it's a bug :)
> By the way, I'm working with Linux.
>
> Good luck and continue the good work !
>
> Thomas Laroche
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
> For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org


Mime
View raw message