tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java
Date Tue, 17 Oct 2000 19:45:29 GMT
craigmcc    00/10/17 12:45:28

  Modified:    .        RELEASE-NOTES-4.0-M3.txt
               catalina/src/share/org/apache/catalina/resources
                        FileResources.java ResourcesBase.java
               catalina/src/share/org/apache/catalina/servlets
                        DefaultServlet.java
  Log:
  Fix a nasty security hole in Tomcat 4.0 that would allow a URL like:
  
    http://localhost:8080/examples/jsp/snp/snoop.jsp/
  
  or
  
    http://localhost:8080/examples/jsp/snp/snoop.jsp\
  
  to display the source code of the JSP page.  The same problem occurred
  with static files -- the raw HTML code would be returned if there was a
  "/" or "\" after the name of a valid static file..
  
  Now, these requests will all return 404 (not found).
  
  Submitted by:	Cheong Takhoe <Takhoe@APIIT.EDU.MY>
  
  Revision  Changes    Path
  1.3       +10 -1     jakarta-tomcat-4.0/RELEASE-NOTES-4.0-M3.txt
  
  Index: RELEASE-NOTES-4.0-M3.txt
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/RELEASE-NOTES-4.0-M3.txt,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- RELEASE-NOTES-4.0-M3.txt	2000/10/16 23:56:55	1.2
  +++ RELEASE-NOTES-4.0-M3.txt	2000/10/17 19:45:23	1.3
  @@ -3,7 +3,7 @@
                               Release Notes
                               =============
   
  -$Id: RELEASE-NOTES-4.0-M3.txt,v 1.2 2000/10/16 23:56:55 craigmcc Exp $
  +$Id: RELEASE-NOTES-4.0-M3.txt,v 1.3 2000/10/17 19:45:23 craigmcc Exp $
   
   
   ============
  @@ -135,6 +135,15 @@
   the absolute paths used by Catalina and Jasper.  Previously, the webapps were
   not getting built correctly under some combinations of environment variables
   and class path settings.
  +
  +Catalina:  Parse POST parameters even if a character set is included in the
  +content type header (such as the following example header:
  +"Content-Type: application/x-www-form-urlencoded;charset=UTF-8").
  +
  +Catalina:  Fix a nasty security bug that would display the source of a JSP
  +page (or the raw HTML of a static resource) if you appended a "/" or "\"
  +character after the name of a valid resource.  Now, these requests return
  +NOT FOUND (404).
   
   
   ==============================
  
  
  
  1.3       +76 -16    jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/FileResources.java
  
  Index: FileResources.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/FileResources.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- FileResources.java	2000/08/21 16:25:45	1.2
  +++ FileResources.java	2000/10/17 19:45:24	1.3
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/FileResources.java,v
1.2 2000/08/21 16:25:45 craigmcc Exp $
  - * $Revision: 1.2 $
  - * $Date: 2000/08/21 16:25:45 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/FileResources.java,v
1.3 2000/10/17 19:45:24 craigmcc Exp $
  + * $Revision: 1.3 $
  + * $Date: 2000/10/17 19:45:24 $
    *
    * ====================================================================
    *
  @@ -93,7 +93,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.2 $ $Date: 2000/08/21 16:25:45 $
  + * @version $Revision: 1.3 $ $Date: 2000/10/17 19:45:24 $
    */
   
   public final class FileResources extends ResourcesBase {
  @@ -173,12 +173,23 @@
       public String getRealPath(String path) {
   
           String normalized = normalize(path);
  -	if (normalized == null)
  +	if (normalized == null) {
  +            //            if (debug >= 1)
  +            //                log("getRealPath(" + path + ") --> NULL");
   	    return (null);
  -	validate(normalized);
  +        }
  +        try {
  +            validate(normalized);
  +        } catch (IllegalArgumentException e) {
  +            //            if (debug >= 1)
  +            //                log("getRealPath(" + path + ") --> IAE");
  +            throw e;
  +        }
   
   	// Return a real path to where this file does, or would, exist
   	File file = new File(base, normalized.substring(1));
  +        //        if (debug >= 1)
  +        //            log("getRealPath(" + path + ") --> " + file.getAbsolutePath());
   	return (file.getAbsolutePath());
   
       }
  @@ -203,11 +214,17 @@
   
   	// Acquire an absolute pathname for the requested resource
   	String pathname = getRealPath(path);
  -	if (pathname == null)
  +	if (pathname == null) {
  +            //            if (debug >= 1)
  +            //                log("getResource(" + path + ") --> NULL");
   	    return (null);
  +        }
   
   	// Construct a URL that refers to this file
  -	return (new URL("file", null, 0, pathname));
  +        URL url = new URL("file", null, 0, pathname);
  +        //        if (debug >= 1)
  +        //            log("getResource(" + path + ") --> " + url.toString());
  +        return (url);
   
       }
   
  @@ -225,23 +242,45 @@
       public InputStream getResourceAsStream(String path) {
   
   	String normalized = normalize(path);
  -	if (normalized == null)
  +	if (normalized == null) {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> NULL");
   	    return (null);
  -	validate(normalized);
  +        }
  +        try {
  +            validate(normalized);
  +        } catch (IllegalArgumentException e) {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> IAE");
  +            throw e;
  +        }
   
   	// Look up the cached resource entry (if it exists) for this path
   	ResourceBean resource = null;
   	synchronized (resourcesCache) {
   	    resource = (ResourceBean) resourcesCache.get(normalized);
   	}
  -	if (resource != null)
  +	if (resource != null) {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> CACHED");
   	    return (new ByteArrayInputStream(resource.getData()));
  +        }
   
   	// Create a File object referencing the requested resource
   	File file = file(normalized);
  -	if ((file == null) || !file.exists() || !file.canRead())
  +	if ((file == null) || !file.exists() || !file.canRead()) {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> NO FILE");
   	    return (null);
  +        }
   
  +        // If the resource path ends in "/", this *must* be a directory
  +        if (normalized.endsWith("/") && !file.isDirectory()) {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> NOT DIR");
  +            return (null);
  +        }
  +
           // Special handling for directories
   	if (file.isDirectory()) {
   	    String contextPath =
  @@ -266,6 +305,8 @@
                   }
                   directory.addResource(newEntry);
               }
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> DIRECTORY");
   	    return (directory.render(contextPath));
   	}
   
  @@ -282,11 +323,15 @@
   		resourcesCache.put(resource.getName(), resource);
   		resourcesCount++;
   	    }
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> CACHE AND SERVE");
   	    return (new ByteArrayInputStream(resource.getData()));
   	}
   
   	// Serve the contents directly from the filesystem
   	try {
  +            //            if (debug >= 1)
  +            //                log("getResourceAsStream(" + path + ") --> SERVE FILE");
   	    return (new FileInputStream(file));
   	} catch (IOException e) {
   	    log(sm.getString("resoruces.input", resource.getName()), e);
  @@ -307,15 +352,30 @@
       public boolean exists(String path) {
           
           String normalized = normalize(path);
  -	if (normalized == null)
  +	if (normalized == null) {
  +            //            if (debug >= 1)
  +            //                log("exists(" + path + ") --> NULL");
   	    return (false);
  -	validate(normalized);
  +        }
  +        try {
  +            validate(normalized);
  +        } catch (IllegalArgumentException e) {
  +            //            if (debug >= 1)
  +            //                log("exists(" + path + ") --> IAE");
  +            throw e;
  +        }
           
   	File file = new File(base, normalized.substring(1));
  -        if (file != null)
  +        if (file != null) {
  +            //            if (debug >= 1)
  +            //                log("exists(" + path + ") --> " + file.exists() +
  +            //                    " isDirectory=" + file.isDirectory());
               return (file.exists());
  -        else
  +        } else {
  +            //            if (debug >= 1)
  +            //                log("exists(" + path + ") --> NO FILE");
               return (false);
  +        }
           
       }
   
  
  
  
  1.3       +4 -5      jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/ResourcesBase.java
  
  Index: ResourcesBase.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/ResourcesBase.java,v
  retrieving revision 1.2
  retrieving revision 1.3
  diff -u -r1.2 -r1.3
  --- ResourcesBase.java	2000/10/09 21:04:03	1.2
  +++ ResourcesBase.java	2000/10/17 19:45:25	1.3
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/ResourcesBase.java,v
1.2 2000/10/09 21:04:03 craigmcc Exp $
  - * $Revision: 1.2 $
  - * $Date: 2000/10/09 21:04:03 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/resources/ResourcesBase.java,v
1.3 2000/10/17 19:45:25 craigmcc Exp $
  + * $Revision: 1.3 $
  + * $Date: 2000/10/17 19:45:25 $
    *
    * ====================================================================
    *
  @@ -101,7 +101,7 @@
    * (such as a local or remote JAR file).
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.2 $ $Date: 2000/10/09 21:04:03 $
  + * @version $Revision: 1.3 $ $Date: 2000/10/17 19:45:25 $
    */
   
   public abstract class ResourcesBase
  @@ -1132,4 +1132,3 @@
   
   
   }
  -
  
  
  
  1.11      +13 -4     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- DefaultServlet.java	2000/10/10 17:21:39	1.10
  +++ DefaultServlet.java	2000/10/17 19:45:27	1.11
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.10 2000/10/10 17:21:39 remm Exp $
  - * $Revision: 1.10 $
  - * $Date: 2000/10/10 17:21:39 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.11 2000/10/17 19:45:27 craigmcc Exp $
  + * $Revision: 1.11 $
  + * $Date: 2000/10/17 19:45:27 $
    *
    * ====================================================================
    *
  @@ -112,7 +112,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.10 $ $Date: 2000/10/10 17:21:39 $
  + * @version $Revision: 1.11 $ $Date: 2000/10/17 19:45:27 $
    */
   
   public class DefaultServlet
  @@ -1149,6 +1149,15 @@
           if (!resourceInfo.exists) {
   	    response.sendError(HttpServletResponse.SC_NOT_FOUND, path);
   	    return;
  +        }
  +
  +        // If the resource is not a collection, and the resource path
  +        // ends with "/" or "\", return NOT FOUND
  +        if (!resourceInfo.collection) {
  +            if (path.endsWith("/") || (path.endsWith("\\"))) {
  +                response.sendError(HttpServletResponse.SC_NOT_FOUND, path);
  +                return;
  +            }
           }
   
           // If the resource is a collection (aka a directory), we check 
  
  
  

Mime
View raw message