tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: pathTranslated and pathInfo... More unsafe paths
Date Thu, 15 Mar 2001 01:18:49 GMT

On Wed, 14 Mar 2001, christopher hull wrote:

> But wait...
> /WEB-INF/../../env.xml
> is inside of
> /WEB-INF/../env.xml
> (see example below)

When you start with a slash, that means you are resolving a URL relative
to some "base".  The base that is used depends on the context you are
using it in:

* For things like request dispatchers, and ServletContext.getResource(),
  the base is the context root of your web application.

* For things sent to the browkser, like a hyperlink:
	<a href="/WEB-INF/../../env.xml">Click Me</a>
  the link would be resolved (by the browser) against the server root
  of your web server.

> Do you have to specify all the sub-directories that a webapp uses?
> Also, I've noticed an interesting and occasionsl unsafe path where a 
> space is being introduced just before the path I supply to 
> getResourceAsStream.
> If I say servContext.getResourceAsStream("\path\foo.html");

This is actually an invalid path.  URLs always use forward slashes, even
if some browsers (and some servers) let you get away with backslashes.

> I occasionally get an exception stating an unsafe path of...
> w:\foo\bar\tomcat\webapps \path\foo.html
> A space is being introduced just before the path I supply, but only 
> sometimes.

Are you absolutely positive that the webapps directory is named
"webapps" and not "webapps " (with a trailing space)?

> Is there a reliable way to get the document root?

You can get the context root of your webapp by calling:
	String rootPath =
if you are running under a servlet container that runs from unpacked
directories (like Tomcat 3.2.1 does).  If you are running under a servlet
container that runs web apps directly from a WAR file, there is no such
thng as the pathname of the context root, and the above call will return

> PathTranslated and PathInfo don't work the way they used to.

Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly.

> Running Tomcat 3.2.1
> -Chris

Craig McClanahan

View raw message