tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1056763 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt java/org/apache/catalina/servlets/DefaultServlet.java java/org/apache/catalina/servlets/WebdavServlet.java webapps/docs/changelog.xml
Date Sat, 08 Jan 2011 18:56:57 GMT
Author: markt
Date: Sat Jan  8 18:56:57 2011
New Revision: 1056763

URL: http://svn.apache.org/viewvc?rev=1056763&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
Force DefaultServlet to serve all resources relative to context root regardless of mappings/mount
point.
Prevents access to WEB-INF and META-INF when the default servlet is mapped to a sub-path.
Also fixes WebdavServlet, which is affected for GET requests.
This is a breaking change for anyone re-mapping DefaultServlet to a sub-path (current behaviour
is to remount the entire web application under the path, which exposes WEB-INF/META-INF).

Modified:
    tomcat/tc6.0.x/trunk/   (props changed)
    tomcat/tc6.0.x/trunk/STATUS.txt
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Jan  8 18:56:57 2011
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
 0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
 39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
 ,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004868-1004869,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1037715,1037794,1037887,1037924,1038041,1044987,1055055,1055458
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
 0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
 39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
 ,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1044987,1055055,1055458

Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Jan  8 18:56:57 2011
@@ -61,24 +61,6 @@ PATCHES PROPOSED TO BACKPORT:
    cause confusion. I'd prefer not to invent a new name, but mention the
    one that we already have when documenting virtualClasspath.
 
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
-  Force DefaultServlet to serve all resources relative to context root
-  regardless of mappings/mount point.
-  Prevents access to WEB-INF and META-INF when the default servlet is
-  mapped to a sub-path. Also fixes WebdavServlet, which is affected for GET
-  requests.
-  This is a breaking change for anyone re-mapping DefaultServlet to a sub-path
-  (current behaviour is to remount the entire web application under the path,
-  which exposes WEB-INF/META-INF).
-  http://svn.apache.org/viewvc?rev=1004393&view=rev
-  http://svn.apache.org/viewvc?rev=1004409&view=rev
-  http://svn.apache.org/viewvc?rev=1004415&view=rev
-  http://svn.apache.org/viewvc?rev=1004912&view=rev (fix for includes)
-  +1: timw
-  +1: markt, kkolinko,funkman if http://svn.apache.org/viewvc?rev=1033897&view=rev
-            is also applied
-  -1:
-
 * Fix path parameter handling. Currently the following URL fails with a 404:
   http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp
   http://people.apache.org/~kkolinko/patches/2010-11-17_tc6_path-params.patch

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Sat Jan  8
18:56:57 2011
@@ -68,9 +68,44 @@ import org.apache.naming.resources.Resou
 
 
 /**
- * The default resource-serving servlet for most web applications,
+ * <p>The default resource-serving servlet for most web applications,
  * used to serve static resources such as HTML pages and images.
- *
+ * </p>
+ * <p>
+ * This servlet is intended to be mapped to <em>/</em> e.g.:
+ * </p>
+ * <pre>
+ *   &lt;servlet-mapping&gt;
+ *       &lt;servlet-name&gt;default&lt;/servlet-name&gt;
+ *       &lt;url-pattern&gt;/&lt;/url-pattern&gt;
+ *   &lt;/servlet-mapping&gt;
+ * </pre>
+ * <p>It can be mapped to sub-paths, however in all cases resources are served
+ * from the web appplication resource root using the full path from the root
+ * of the web application context.
+ * <br/>e.g. given a web application structure:
+ *</p>
+ * <pre>
+ * /context
+ *   /images
+ *     tomcat2.jpg
+ *   /static
+ *     /images
+ *       tomcat.jpg
+ * </pre>
+ * <p>
+ * ... and a servlet mapping that maps only <code>/static/*</code> to the default
servlet:
+ * </p>
+ * <pre>
+ *   &lt;servlet-mapping&gt;
+ *       &lt;servlet-name&gt;default&lt;/servlet-name&gt;
+ *       &lt;url-pattern&gt;/static/*&lt;/url-pattern&gt;
+ *   &lt;/servlet-mapping&gt;
+ * </pre>
+ * <p>
+ * Then a request to <code>/context/static/images/tomcat.jpg</code> will succeed
+ * while a request to <code>/context/images/tomcat2.jpg</code> will fail. 
+ * </p>
  * @author Craig R. McClanahan
  * @author Remy Maucherat
  * @version $Id$
@@ -296,16 +331,26 @@ public class DefaultServlet
      * @param request The servlet request we are processing
      */
     protected String getRelativePath(HttpServletRequest request) {
+        // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
+        // serves resources from the web app root with context rooted paths.
+        // i.e. it can not be used to mount the web app root under a sub-path
+        // This method must construct a complete context rooted path, although
+        // subclasses can change this behaviour.
 
         // Are we being processed by a RequestDispatcher.include()?
         if (request.getAttribute(Globals.INCLUDE_REQUEST_URI_ATTR) != null) {
             String result = (String) request.getAttribute(
                                             Globals.INCLUDE_PATH_INFO_ATTR);
-            if (result == null)
+            if (result == null) {
                 result = (String) request.getAttribute(
                                             Globals.INCLUDE_SERVLET_PATH_ATTR);
-            if ((result == null) || (result.equals("")))
+            } else {
+                result = (String) request.getAttribute(
+                                  Globals.INCLUDE_SERVLET_PATH_ATTR) + result;
+            }
+            if ((result == null) || (result.equals(""))) {
                 result = "/";
+            }
             return (result);
         }
 
@@ -313,6 +358,8 @@ public class DefaultServlet
         String result = request.getPathInfo();
         if (result == null) {
             result = request.getServletPath();
+        } else {
+            result = request.getServletPath() + result;
         }
         if ((result == null) || (result.equals(""))) {
             result = "/";
@@ -323,6 +370,18 @@ public class DefaultServlet
 
 
     /**
+     * Determines the appropriate path to prepend resources with
+     * when generating directory listings. Depending on the behaviour of 
+     * {@link #getRelativePath(HttpServletRequest)} this will change.
+     * @param request the request to determine the path for
+     * @return the prefix to apply to all resources in the listing.
+     */
+    protected String getPathPrefix(final HttpServletRequest request) {
+        return request.getContextPath();
+    }
+
+
+    /**
      * Process a GET request for the specified resource.
      *
      * @param request The servlet request we are processing
@@ -833,8 +892,7 @@ public class DefaultServlet
 
                 if (content) {
                     // Serve the directory browser
-                    renderResult =
-                        render(request.getContextPath(), cacheEntry);
+                    renderResult = render(getPathPrefix(request), cacheEntry);
                 }
 
             }

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java Sat Jan  8 18:56:57
2011
@@ -30,6 +30,7 @@ import java.text.SimpleDateFormat;
 import java.util.Date;
 import java.util.Enumeration;
 import java.util.Hashtable;
+import java.util.Locale;
 import java.util.Stack;
 import java.util.TimeZone;
 import java.util.Vector;
@@ -70,45 +71,58 @@ import org.xml.sax.SAXException;
  * Servlet which adds support for WebDAV level 2. All the basic HTTP requests
  * are handled by the DefaultServlet. The WebDAVServlet must not be used as the
  * default servlet (ie mapped to '/') as it will not work in this configuration.
- * To enable WebDAV for a context add the following to web.xml:<br/><code>
- * &lt;servlet&gt;<br/>
- *  &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;<br/>
- *  &lt;servlet-class&gt;org.apache.catalina.servlets.WebdavServlet&lt;/servlet-class&gt;<br/>
- *    &lt;init-param&gt;<br/>
- *      &lt;param-name&gt;debug&lt;/param-name&gt;<br/>
- *      &lt;param-value&gt;0&lt;/param-value&gt;<br/>
- *    &lt;/init-param&gt;<br/>
- *    &lt;init-param&gt;<br/>
- *      &lt;param-name&gt;listings&lt;/param-name&gt;<br/>
- *      &lt;param-value&gt;true&lt;/param-value&gt;<br/>
- *    &lt;/init-param&gt;<br/>
- *  &lt;/servlet&gt;<br/>
- *  &lt;servlet-mapping&gt;<br/>
- *    &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;<br/>
- *    &lt;url-pattern&gt;/*&lt;/url-pattern&gt;<br/>
- *  &lt;/servlet-mapping&gt;
- * </code>
  * <p/>
- * This will enable read only access. To enable read-write access add:<br/>
- * <code>
- *    &lt;init-param&gt;<br/>
- *      &lt;param-name&gt;readonly&lt;/param-name&gt;<br/>
- *      &lt;param-value&gt;false&lt;/param-value&gt;<br/>
- *    &lt;/init-param&gt;<br/>
- * </code>
+ * Mapping a subpath (e.g. <code>/webdav/*</code> to this servlet has the effect
+ * of re-mounting the entire web application under that sub-path, with WebDAV
+ * access to all the resources. This <code>WEB-INF</code> and <code>META-INF</code>
+ * directories are protected in this re-mounted resource tree.
  * <p/>
- * To make the content editable via a different URL, using the following
- * mapping:<br/>
- * <code>
- *  &lt;servlet-mapping&gt;<br/>
- *    &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;<br/>
- *    &lt;url-pattern&gt;/webdavedit/*&lt;/url-pattern&gt;<br/>
+ * To enable WebDAV for a context add the following to web.xml:
+ * <pre>
+ * &lt;servlet&gt;
+ *  &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;
+ *  &lt;servlet-class&gt;org.apache.catalina.servlets.WebdavServlet&lt;/servlet-class&gt;
+ *    &lt;init-param&gt;
+ *      &lt;param-name&gt;debug&lt;/param-name&gt;
+ *      &lt;param-value&gt;0&lt;/param-value&gt;
+ *    &lt;/init-param&gt;
+ *    &lt;init-param&gt;
+ *      &lt;param-name&gt;listings&lt;/param-name&gt;
+ *      &lt;param-value&gt;false&lt;/param-value&gt;
+ *    &lt;/init-param&gt;
+ *  &lt;/servlet&gt;
+ *  &lt;servlet-mapping&gt;
+ *    &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;
+ *    &lt;url-pattern&gt;/*&lt;/url-pattern&gt;
  *  &lt;/servlet-mapping&gt;
- * </code>
- * <p/>
- * Don't forget to secure access appropriately to the editing URLs. With this
- * configuration the context will be accessible to normal users as before. Those
- * users with the necessary access will be able to edit content available via
+ * </pre>
+ * This will enable read only access. To enable read-write access add:
+ * <pre>
+ *  &lt;init-param&gt;
+ *    &lt;param-name&gt;readonly&lt;/param-name&gt;
+ *    &lt;param-value&gt;false&lt;/param-value&gt;
+ *  &lt;/init-param&gt;
+ * </pre>
+ * To make the content editable via a different URL, use the following
+ * mapping:
+ * <pre>
+ *  &lt;servlet-mapping&gt;
+ *    &lt;servlet-name&gt;webdav&lt;/servlet-name&gt;
+ *    &lt;url-pattern&gt;/webdavedit/*&lt;/url-pattern&gt;
+ *  &lt;/servlet-mapping&gt;
+ * </pre>
+ * By default access to /WEB-INF and META-INF are not available via WebDAV. To
+ * enable access to these URLs, use add:
+ * <pre>
+ *  &lt;init-param&gt;
+ *    &lt;param-name&gt;allowSpecialPaths&lt;/param-name&gt;
+ *    &lt;param-value&gt;true&lt;/param-value&gt;
+ *  &lt;/init-param&gt;
+ * </pre>
+ * Don't forget to secure access appropriately to the editing URLs, especially
+ * if allowSpecialPaths is used. With the mapping configuration above, the
+ * context will be accessible to normal users as before. Those users with the
+ * necessary access will be able to edit content available via
  * http://host:port/context/content using
  * http://host:port/context/webdavedit/content
  *
@@ -253,6 +267,13 @@ public class WebdavServlet
     private int maxDepth = 3;
 
 
+    /**
+     * Is access allowed via WebDAV to the special paths (/WEB-INF and
+     * /META-INF)? 
+     */
+    private boolean allowSpecialPaths = false;
+
+
     // --------------------------------------------------------- Public Methods
 
 
@@ -271,6 +292,10 @@ public class WebdavServlet
             maxDepth = Integer.parseInt(
                     getServletConfig().getInitParameter("maxDepth"));
 
+        if (getServletConfig().getInitParameter("allowSpecialPaths") != null)
+            allowSpecialPaths = Boolean.parseBoolean(
+                    getServletConfig().getInitParameter("allowSpecialPaths"));
+
         // Load the MD5 helper used to calculate signatures.
         try {
             md5Helper = MessageDigest.getInstance("MD5");
@@ -312,10 +337,21 @@ public class WebdavServlet
     protected void service(HttpServletRequest req, HttpServletResponse resp)
         throws ServletException, IOException {
 
-        String method = req.getMethod();
+        final String path = getRelativePath(req);
+        
+        // Block access to special subdirectories.
+        // DefaultServlet assumes it services resources from the root of the web app
+        // and doesn't add any special path protection
+        // WebdavServlet remounts the webapp under a new path, so this check is
+        // necessary on all methods (including GET).
+        if (isSpecialPath(path)) {
+            resp.sendError(WebdavStatus.SC_NOT_FOUND);
+            return;
+        }
+
+        final String method = req.getMethod();
 
         if (debug > 0) {
-            String path = getRelativePath(req);
             log("[" + method + "] " + path);
         }
 
@@ -342,6 +378,19 @@ public class WebdavServlet
 
 
     /**
+     * Checks whether a given path refers to a resource under
+     * <code>WEB-INF</code> or <code>META-INF</code>.
+     * @param path the full path of the resource being accessed
+     * @return <code>true</code> if the resource specified is under a special
path
+     */
+    private final boolean isSpecialPath(final String path) {
+        return !allowSpecialPaths && (
+                path.toUpperCase(Locale.ENGLISH).startsWith("/WEB-INF") ||
+                path.toUpperCase(Locale.ENGLISH).startsWith("/META-INF"));
+    }
+
+
+    /**
      * Check if the conditions specified in the optional If headers are
      * satisfied.
      *
@@ -395,6 +444,20 @@ public class WebdavServlet
 
 
     /**
+     * Determines the prefix for standard directory GET listings.
+     */
+    @Override
+    protected String getPathPrefix(final HttpServletRequest request) {
+        // Repeat the servlet path (e.g. /webdav/) in the listing path
+        String contextPath = request.getContextPath();
+        if (request.getServletPath() !=  null) {
+            contextPath = contextPath + request.getServletPath();
+        }
+        return contextPath;
+    }
+
+
+    /**
      * OPTIONS Method.
      *
      * @param req The request
@@ -436,12 +499,6 @@ public class WebdavServlet
         if (path.endsWith("/"))
             path = path.substring(0, path.length() - 1);
 
-        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
-            (path.toUpperCase().startsWith("/META-INF"))) {
-            resp.sendError(WebdavStatus.SC_FORBIDDEN);
-            return;
-        }
-
         // Properties which are to be displayed.
         Vector<String> properties = null;
         // Propfind depth
@@ -708,12 +765,6 @@ public class WebdavServlet
 
         String path = getRelativePath(req);
 
-        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
-            (path.toUpperCase().startsWith("/META-INF"))) {
-            resp.sendError(WebdavStatus.SC_FORBIDDEN);
-            return;
-        }
-
         boolean exists = true;
         Object object = null;
         try {
@@ -1580,20 +1631,14 @@ public class WebdavServlet
         if (debug > 0)
             log("Dest path :" + destinationPath);
 
-        if ((destinationPath.toUpperCase().startsWith("/WEB-INF")) ||
-            (destinationPath.toUpperCase().startsWith("/META-INF"))) {
+        // Check destination path to protect special sub-directories
+        if (isSpecialPath(destinationPath)) {
             resp.sendError(WebdavStatus.SC_FORBIDDEN);
             return false;
         }
 
         String path = getRelativePath(req);
 
-        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
-            (path.toUpperCase().startsWith("/META-INF"))) {
-            resp.sendError(WebdavStatus.SC_FORBIDDEN);
-            return false;
-        }
-
         if (destinationPath.equals(path)) {
             resp.sendError(WebdavStatus.SC_FORBIDDEN);
             return false;
@@ -1787,12 +1832,6 @@ public class WebdavServlet
                                    HttpServletResponse resp, boolean setStatus)
         throws ServletException, IOException {
 
-        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
-            (path.toUpperCase().startsWith("/META-INF"))) {
-            resp.sendError(WebdavStatus.SC_FORBIDDEN);
-            return false;
-        }
-
         String ifHeader = req.getHeader("If");
         if (ifHeader == null)
             ifHeader = "";
@@ -1872,8 +1911,8 @@ public class WebdavServlet
         if (debug > 1)
             log("Delete:" + path);
 
-        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
-            (path.toUpperCase().startsWith("/META-INF"))) {
+        // Prevent deletion of special sub-directories
+        if (isSpecialPath(path)) {
             errorList.put(path, new Integer(WebdavStatus.SC_FORBIDDEN));
             return;
         }
@@ -2009,9 +2048,7 @@ public class WebdavServlet
                                  Vector<String> propertiesVector) {
 
         // Exclude any resource in the /WEB-INF and /META-INF subdirectories
-        // (the "toUpperCase()" avoids problems on Windows systems)
-        if (path.toUpperCase().startsWith("/WEB-INF") ||
-            path.toUpperCase().startsWith("/META-INF"))
+        if (isSpecialPath(path))
             return;
 
         CacheEntry cacheEntry = resources.lookupCache(path);
@@ -2296,9 +2333,7 @@ public class WebdavServlet
                                          Vector propertiesVector) {
 
         // Exclude any resource in the /WEB-INF and /META-INF subdirectories
-        // (the "toUpperCase()" avoids problems on Windows systems)
-        if (path.toUpperCase().startsWith("/WEB-INF") ||
-            path.toUpperCase().startsWith("/META-INF"))
+        if (isSpecialPath(path))
             return;
 
         // Retrieving the lock associated with the lock-null resource

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Jan  8 18:56:57 2011
@@ -153,6 +153,10 @@
         Add security policy and token poller protection to the JRE memory leak
         protection provided in Tomcat 6. (markt/kkolinko)
       </add>
+      <add>
+        <bug>50026</bug>: Add support for mapping the default servlet to URLs
+        other than /. (timw)
+      </add>
       <fix>
         <bug>50128</bug>: Improve exception handling in PersistentManagerBase
         when running with a security manager. (kkolinko)



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message