tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http
Date Fri, 10 Aug 2001 15:23:32 GMT

On Fri, 10 Aug 2001, Incze Lajos wrote:

> On Thu, Aug 09, 2001 at 07:43:00PM -0000, wrote:
> > craigmcc    01/08/09 12:43:00
> > 
> ...
> >   Make request URIs the contain "/..." (or any longer series of periods)
> >   invalid.  On some (all?) Windows platforms, this causes the OS to walk the
> >   directory tree just like "../../.." type sequences do.
> ...
> Is this a "feature" (I mean a documented thing) or a bug?

IMHO it's a bug in the operating system, and it was a security flaw in
Tomcat (which is not supposed to let you reference *anything* outside your
web app's context).

> And: if a bug
> then - just theoretically - is that a goood decision to program for bugs?

What other choice would we have?  Without doing this, there's nothing
Tomcat could do to stop you from snooping the server's entire hard
drive.  And users would rightly say that Tomcat is broken if that were

Of course, you could call case insensitivity on Windows a bug as well
:-).  Even if you don't, it's something that Tomcat has to deal with in
order to conform to the specs that say request URIs are case sensitive.

> Even if you get away with this thing at URL parsing you wil get it 
> back at places that you can't control - you can't be safe until the
> bug is not fixed on the platform itself.
> (Otherwise on my NT4 (SP6) the ........ etc. works at the DOS prompt
> mostly like a single dot. So here are some "remain in place" commands:
> cd .
> cd ....
> cd .....................
> But:
> cd ................\............... type commands sometimes succeed,
> sometimes raise an "The system cannot find the path specified" message
> and I'm lazy to try to figure out what is the rule behind this
> boring error.)

But "cd" commands are not Tomcat's problem.  You take your own risks :-)
when you run Tomcat on a platform that behaves like this -- all we can do
is make sure that *Tomcat* does not let you shoot yourself in the foot.

> incze


View raw message