tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From christopher hull <>
Subject pathTranslated and pathInfo... More unsafe paths
Date Thu, 15 Mar 2001 01:12:08 GMT

But wait...
is inside of
(see example below)

Do you have to specify all the sub-directories that a webapp uses?

Also, I've noticed an interesting and occasionsl unsafe path where a 
space is being introduced just before the path I supply to 

If I say servContext.getResourceAsStream("\path\foo.html");
I occasionally get an exception stating an unsafe path of...
w:\foo\bar\tomcat\webapps \path\foo.html

A space is being introduced just before the path I supply, but only 

Is there a reliable way to get the document root?
PathTranslated and PathInfo don't work the way they used to.

Running Tomcat 3.2.1


Larry Isaacs wrote:

 > David,
 > For security, web applications aren't allow to access files outside
 > of the web application.  That is why /WEB-INF/../env.xml is okay
 > and /WEB-INF/../../env.xml isn't.
 > Larry
 > -----Original Message-----
 > From: David Soroko []
 > Sent: Tuesday, March 13, 2001 7:53 AM
 > To:
 > Subject: Unsafe path ?
 > Hi all
 >>From within a servlet I am trying to read a file in the following way
 > getServletContext().getResourceAsStream(getInitParameter("envFile"));
 > When the parameter envFile has the value /WEB-INF/../../env.xml
 > I am getting the following message from Tomcat:
 > Unsafe path D:\Jupiter\tomcat\webapps\dir1\dir2\dir3 
 > Any ideas why is that?
 > Interestingly, when the parameter envFile has the value 
 > Tomcat has no problems reading the file.
 > This is on Tomcat 3.2/Wintel.
 > TIA


Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card
iPost Voice 408 261 7201

View raw message