tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@locus.apache.org
Subject cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java
Date Mon, 11 Dec 2000 17:07:29 GMT
remm        00/12/11 09:07:27

  Modified:    catalina/src/share/org/apache/catalina/servlets
                        DefaultServlet.java
  Log:
  - Fix a security problem where /WEB-INF could be accessed using a path like
    //WEB-INF. Now, the path is normalized before checking for /WEB-INF.
  
  Revision  Changes    Path
  1.16      +71 -6     jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- DefaultServlet.java	2000/11/15 01:08:23	1.15
  +++ DefaultServlet.java	2000/12/11 17:07:25	1.16
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.15 2000/11/15 01:08:23 remm Exp $
  - * $Revision: 1.15 $
  - * $Date: 2000/11/15 01:08:23 $
  + * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
1.16 2000/12/11 17:07:25 remm Exp $
  + * $Revision: 1.16 $
  + * $Date: 2000/12/11 17:07:25 $
    *
    * ====================================================================
    *
  @@ -112,7 +112,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.15 $ $Date: 2000/11/15 01:08:23 $
  + * @version $Revision: 1.16 $ $Date: 2000/12/11 17:07:25 $
    */
   
   public class DefaultServlet
  @@ -719,6 +719,69 @@
       }
   
   
  +    /**
  +     * Return a context-relative path, beginning with a "/", that represents
  +     * the canonical version of the specified path after ".." and "." elements
  +     * are resolved out.  If the specified path attempts to go outside the
  +     * boundaries of the current context (i.e. too many ".." path elements
  +     * are present), return <code>null</code> instead.
  +     *
  +     * @param path Path to be normalized
  +     */
  +    protected String normalize(String path) {
  +
  +	// Normalize the slashes and add leading slash if necessary
  +	String normalized = path;
  +	if (normalized.indexOf('\\') >= 0)
  +	    normalized = normalized.replace('\\', '/');
  +	if (!normalized.startsWith("/"))
  +	    normalized = "/" + normalized;
  +
  +	// Resolve occurrences of "//" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("//");
  +	    if (index < 0)
  +		break;
  +	    normalized = normalized.substring(0, index) +
  +		normalized.substring(index + 1);
  +	}
  +
  +	// Resolve occurrences of "%20" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("%20");
  +	    if (index < 0)
  +		break;
  +	    normalized = normalized.substring(0, index) + " " +
  +		normalized.substring(index + 3);
  +        }
  +
  +	// Resolve occurrences of "/./" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("/./");
  +	    if (index < 0)
  +		break;
  +	    normalized = normalized.substring(0, index) +
  +		normalized.substring(index + 2);
  +	}
  +
  +	// Resolve occurrences of "/../" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("/../");
  +	    if (index < 0)
  +		break;
  +	    if (index == 0)
  +		return (null);	// Trying to go outside our context
  +	    int index2 = normalized.lastIndexOf('/', index - 1);
  +	    normalized = normalized.substring(0, index2) +
  +		normalized.substring(index + 3);
  +	}
  +
  +	// Return the normalized path that we have completed
  +	return (normalized);
  +
  +    }
  +
  +
       // -------------------------------------------------------- Private Methods
   
   
  @@ -1224,8 +1287,10 @@
   
   	// Exclude any resource in the /WEB-INF and /META-INF subdirectories
   	// (the "toUpperCase()" avoids problems on Windows systems)
  -	if (path.toUpperCase().startsWith("/WEB-INF") ||
  -	    path.toUpperCase().startsWith("/META-INF")) {
  +        String normalizedPath = normalize(path);
  +	if ((normalizedPath == null) ||
  +            normalizedPath.toUpperCase().startsWith("/WEB-INF") ||
  +	    normalizedPath.toUpperCase().startsWith("/META-INF")) {
   	    response.sendError(HttpServletResponse.SC_NOT_FOUND, path);
   	    return;
   	}
  
  
  

Mime
View raw message