tomcat-dev mailing list archives

Site index · List index
Message view
Top
From "Craig R. McClanahan" <craig...@apache.org>
Subject Re: pathTranslated and pathInfo... More unsafe paths
Date Thu, 15 Mar 2001 01:18:49 GMT


On Wed, 14 Mar 2001, christopher hull wrote:

>
> But wait...
> /WEB-INF/../../env.xml
> is inside of
> /WEB-INF/../env.xml
> (see example below)
>

When you start with a slash, that means you are resolving a URL relative
to some "base".  The base that is used depends on the context you are
using it in:

* For things like request dispatchers, and ServletContext.getResource(),
the base is the context root of your web application.

* For things sent to the browkser, like a hyperlink:
<a href="/WEB-INF/../../env.xml">Click Me</a>
the link would be resolved (by the browser) against the server root

> Do you have to specify all the sub-directories that a webapp uses?
>
> Also, I've noticed an interesting and occasionsl unsafe path where a
> space is being introduced just before the path I supply to
> getResourceAsStream.
>
> If I say servContext.getResourceAsStream("\path\foo.html");

This is actually an invalid path.  URLs always use forward slashes, even
if some browsers (and some servers) let you get away with backslashes.

> I occasionally get an exception stating an unsafe path of...
> w:\foo\bar\tomcat\webapps \path\foo.html
>
> A space is being introduced just before the path I supply, but only
> sometimes.
>

Are you absolutely positive that the webapps directory is named
"webapps" and not "webapps " (with a trailing space)?

> Is there a reliable way to get the document root?

You can get the context root of your webapp by calling:
String rootPath =
getServletContext().getRealPath("/");
if you are running under a servlet container that runs from unpacked
directories (like Tomcat 3.2.1 does).  If you are running under a servlet
container that runs web apps directly from a WAR file, there is no such
thng as the pathname of the context root, and the above call will return
null.

> PathTranslated and PathInfo don't work the way they used to.
>

Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly.

> Running Tomcat 3.2.1
>
> -Chris
>
>

Craig McClanahan


Mime
View raw message