tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/httpHttpProcessor.java
Date Sat, 11 Aug 2001 00:22:59 GMT
"Craig R. McClanahan" wrote:
> 
> On Fri, 10 Aug 2001, Incze Lajos wrote:
> 
> > On Thu, Aug 09, 2001 at 07:43:00PM -0000, craigmcc@apache.org wrote:
> > > craigmcc    01/08/09 12:43:00
> > >
> > ...
> > >   Make request URIs the contain "/..." (or any longer series of periods)
> > >   invalid.  On some (all?) Windows platforms, this causes the OS to walk the
> > >   directory tree just like "../../.." type sequences do.
> > ...
> >
> > Is this a "feature" (I mean a documented thing) or a bug?
> 
> IMHO it's a bug in the operating system, and it was a security flaw in
> Tomcat (which is not supposed to let you reference *anything* outside your
> web app's context).
> 
> > And: if a bug
> > then - just theoretically - is that a goood decision to program for bugs?
> 
> What other choice would we have?  Without doing this, there's nothing
> Tomcat could do to stop you from snooping the server's entire hard
> drive.  And users would rightly say that Tomcat is broken if that were
> allowed.
> 

There is an easy way to protect the server without using custom code
to overcome some OS bug, start Tomcat with -security and use a security
policy which uses java.io.FilePermission's to restrict access to
directories and files. :-)

This is a very good example of why you should use the Java SecurityManager.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

Mime
View raw message