tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject DO NOT REPLY [Bug 6772] New: - [Security] RequestDipatcher allows to bypass security manager sandboxing
Date Thu, 28 Feb 2002 22:45:53 GMT
DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772

[Security] RequestDipatcher allows to bypass security manager sandboxing

           Summary: [Security] RequestDipatcher allows to bypass security
                    manager sandboxing
           Product: Tomcat 4
           Version: 4.0.2 Final
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: Blocker
          Priority: Other
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: remm@apache.org


Using a request dipatcher with a relative URL (incuding '/../') allows a 
servlet or JSP to access files on the server filesystem, bypassing the 
protection the security manager provides.

>From the original report:

The problem is this: with a more-or-less default installation of Tomcat
using the security manager, in a jsp:include you can access outside of
your context using ../../../ .  Note that in other forms of reading the
files, the security manager correctly prohibits access (both in a
jsp:include giving the real path, and in standard programmatic file 
opening with real and ../ paths).  It's just in the case of the include
with relative path that it allows access to others' files.

Here's a sample line of a jsp that should generate an error, but
doesn't.  The contexts are foo1/ and foo2/, they are defined in separate
context tags.  This line is from a file in foo1/.
<jsp:include page="../../../foo2/jsp/include/junk.txt"/>

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message