tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From r...@apache.org
Subject cvs commit: jakarta-tomcat-4.0/jasper/src/share/org/apache/jasper/servlet JspServlet.java
Date Wed, 07 Feb 2001 01:38:29 GMT
remm        01/02/06 17:38:28

  Modified:    jasper/src/share/org/apache/jasper/servlet JspServlet.java
  Log:
  - Fix for bug 531 : normalize the path (and use File.toURL() to make sure
    the URL is valid).
  
  Revision  Changes    Path
  1.11      +64 -3     jakarta-tomcat-4.0/jasper/src/share/org/apache/jasper/servlet/JspServlet.java
  
  Index: JspServlet.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat-4.0/jasper/src/share/org/apache/jasper/servlet/JspServlet.java,v
  retrieving revision 1.10
  retrieving revision 1.11
  diff -u -r1.10 -r1.11
  --- JspServlet.java	2001/02/04 01:07:51	1.10
  +++ JspServlet.java	2001/02/07 01:38:27	1.11
  @@ -517,8 +517,9 @@
   	if((jsw.servletClass == null) || outDated) {
   	    try {
   		URL [] urls = new URL[1];
  -		urls[0] = new URL("file:" + ctxt.getOutputDir());
  -		jsw.loader = new JasperLoader(urls,ctxt.getServletClassName(),
  +                File outputDir = new File(normalize(ctxt.getOutputDir()));
  +                urls[0] = outputDir.toURL();
  +                jsw.loader = new JasperLoader(urls,ctxt.getServletClassName(),
   					      parentClassLoader,permissionCollection);
   		jsw.servletClass = jsw.loader.loadClass(ctxt.getServletClassName());
   	    } catch (ClassNotFoundException cex) {
  @@ -534,7 +535,8 @@
   	return outDated;
       }
   
  -        /**
  +
  +    /**
        * Determines whether the current JSP class is older than the JSP file
        * from whence it came
        */
  @@ -554,5 +556,64 @@
   
           return outDated;
       }
  +
  +
  +    /**
  +     * Return a context-relative path, beginning with a "/", that represents
  +     * the canonical version of the specified path after ".." and "." elements
  +     * are resolved out.  If the specified path attempts to go outside the
  +     * boundaries of the current context (i.e. too many ".." path elements
  +     * are present), return <code>null</code> instead.
  +     *
  +     * @param path Path to be normalized
  +     */
  +    protected String normalize(String path) {
  +
  +        if (path == null)
  +            return null;
  +
  +        String normalized = path;
  +        
  +	// Normalize the slashes and add leading slash if necessary
  +	if (normalized.indexOf('\\') >= 0)
  +	    normalized = normalized.replace('\\', '/');
  +	if (!normalized.startsWith("/"))
  +	    normalized = "/" + normalized;
  +
  +	// Resolve occurrences of "//" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("//");
  +	    if (index < 0)
  +		break;
  +	    normalized = normalized.substring(0, index) +
  +		normalized.substring(index + 1);
  +	}
  +
  +	// Resolve occurrences of "/./" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("/./");
  +	    if (index < 0)
  +		break;
  +	    normalized = normalized.substring(0, index) +
  +		normalized.substring(index + 2);
  +	}
  +
  +	// Resolve occurrences of "/../" in the normalized path
  +	while (true) {
  +	    int index = normalized.indexOf("/../");
  +	    if (index < 0)
  +		break;
  +	    if (index == 0)
  +		return (null);	// Trying to go outside our context
  +	    int index2 = normalized.lastIndexOf('/', index - 1);
  +	    normalized = normalized.substring(0, index2) +
  +		normalized.substring(index + 3);
  +	}
  +
  +	// Return the normalized path that we have completed
  +	return (normalized);
  +
  +    }
  +
   
   }
  
  
  

Mime
View raw message