tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From craig...@locus.apache.org
Subject cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SimpleMapper1.java
Date Fri, 01 Dec 2000 03:00:42 GMT
craigmcc    00/11/30 19:00:41

  Modified:    src/doc  Tag: tomcat_32 readme
               src/share/org/apache/tomcat/request Tag: tomcat_32
                        SimpleMapper1.java
  Log:
  Fix a potential security problem in Tomcat 3.2.
  
  The servlet specification prohibits servlet containers from serving
  "files" in the WEB-INF directory of a web application.  Tomcat 3.2
  currently enforces this restriction on static resources (like
  /WEB-INF/web.xml),but allowed access to JSP pages stored there
  (/WEB-INF/index.jsp).  This access is no longer allowed.
  
  Submitted by: David Aiken <David_Aiken@bmc.com>
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.8.2.9   +10 -46    jakarta-tomcat/src/doc/readme
  
  Index: readme
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
  retrieving revision 1.8.2.8
  retrieving revision 1.8.2.9
  diff -u -r1.8.2.8 -r1.8.2.9
  --- readme	2000/11/27 23:36:45	1.8.2.8
  +++ readme	2000/12/01 03:00:28	1.8.2.9
  @@ -1,9 +1,9 @@
  -$Id: readme,v 1.8.2.8 2000/11/27 23:36:45 craigmcc Exp $
  +$Id: readme,v 1.8.2.9 2000/12/01 03:00:28 craigmcc Exp $
   
  -                           Release Notes for:
  -                           ==================
  -                           TOMCAT Version 3.2
  -                           ==================
  +                            Release Notes for:
  +                           ====================
  +                           TOMCAT Version 3.2.1
  +                           ====================
   
   
   0.  TABLE OF CONTENTS:
  @@ -78,48 +78,12 @@
   =============================================================================
   5.  NEW FEATURES IN THIS RELEASE
   
  -Tomcat 3.2 is mainly a performance tune-up release, although a few new
  -features have been added.
  +Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
  +(final) code base.  The following changes are included:
   
  -- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
  -  had several bugs fixed and has received much more testing.  It is now
  -  recommended that all users use mod_jk instead of mod_jserv.
  -
  -- Support JAXP-based XML parser independence.
  -
  -- New and often requested "how-to" documents covering the following topics:
  -     - Configuring workers.properties
  -     - IIS and Netscape configuration
  -     - Running tomcat inside an IIS or Netscape process
  -     - Running Tomcat as a Windows NT service
  -     - Configuring a JDBC realm
  -     - Configuring mod_jk
  -
  -- First round of policy-based security support intended for running untrusted
  -  code inside of Tomcat.  Interested users should test this support and post
  -  feedback to the Tomcat users mailing list.
  -
  -- SSL support for standalone Tomcat. (Preliminary support first appeared in
  -  3.1, but the support in 3.2 has received more testing and documentation
  -  support.
  -
  -- Thread reuse is now enabled by default. The thread pool support code was part
  -  of 3.1, but not enabled since it was new.
  -
  -- Support for plug-able session managers.  Unfortunately, no how-to documents
  -  that support this functionality exist (yet). For the adventurous, be aware
  -  that the interface that allows administrators to plug session managers is
  -  the normal Interceptor interface.
  -
  -- An almost total rewrite of the HTTP request handling now results in improved
  -  performance when running Tomcat stand-alone.
  -
  -- Significantly reduced garbage collection.
  -
  -- The code has undergone a refactoring effort resulting in (we hope) improved
  -  readability.
  -
  -- And of course, hundreds of miscellaneous improvements and fixes.
  +- Disallowed requesting JSP pages under the WEB-INF directory
  +  (/WEB-INF/dummy.jsp).  Previously, only requests for static files
  +  were being disallowed.
   
   
   =============================================================================
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.15.2.3  +18 -0     jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java
  
  Index: SimpleMapper1.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java,v
  retrieving revision 1.15.2.2
  retrieving revision 1.15.2.3
  diff -u -r1.15.2.2 -r1.15.2.3
  --- SimpleMapper1.java	2000/08/25 17:50:30	1.15.2.2
  +++ SimpleMapper1.java	2000/12/01 03:00:41	1.15.2.3
  @@ -329,6 +329,24 @@
   	// is _allways_ called after contextMap ( it was asserted in  all
   	// implementations).
   	
  +        // Security check -- disallow any access under WEB-INF or META-INF
  +        String contextPath = null;
  +        Context context = req.getContext();
  +        if (context != null)
  +            contextPath = context.getPath();
  +        if (contextPath == null)
  +            contextPath = "";
  +        String requestURI = req.getRequestURI();
  +        if (requestURI == null)
  +            requestURI = "";
  +        String relativePath =
  +            requestURI.substring(contextPath.length()).toUpperCase();
  +        if (relativePath.equals("/META-INF") ||
  +            relativePath.equals("/WEB-INF") ||
  +            relativePath.startsWith("/META-INF/") ||
  +            relativePath.startsWith("/WEB-INF/"))
  +            return 404;
  +
   	return OK;
       }
   
  
  
  

Mime
View raw message