tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Amos Shapira <amos.shap...@webcollage.com>
Subject Bug in serveFile - prevents 'docBase="."'
Date Thu, 06 Jul 2000 10:05:12 GMT
Hello,

I use the released Tomcat 3.1 under Windows 2000 (Sun JDK 1.2.2,
JBuilder 3.5) and think that I found the cause of my grief.

I try to use 'docBase="."' in order to avoid wiring absolute path
names in my server.xml file but this causes .gif files not to be found.

Tracing Tomcat I finally found the following code in
org.apache.tomcat.servlets.serveFile(File file,
HttpServletRequest request, HttpServletResponse response):

       // This absPath/canPath comparison plugs security holes...
	// On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20"
        // return 404 instead of the JSP source
	// On all platforms, makes sure we don't let ../'s through
        // Unfortunately, on Unix, it prevents symlinks from working
	// So, a check for File.separatorChar='\\' ..... It hopefully
	// happens on flavors of Windows.
	if (File.separatorChar  == '\\') {
		// On Windows check ignore case....
		if(!absPath.equalsIgnoreCase(canPath)) {
	    	response.sendError(response.SC_NOT_FOUND);
	    	return;
		}

What happens is that absPath is:

W:\sanbox\amos.shapira\providercenter\Catalog\ProviderCenter\.\go.gif

and canPath is:

W:\sanbox\amos.shapira\providercenter\Catalog\ProviderCenter\go.gif

Which is legitimate.  I think that the fix should involve something a-la
the code which prevents use on ".." on UNIX.

Any comments as to how/when/if I can expect a fix or a work-around?

BTW, using 'docBase=""' doesn't seem to help.

Thanks,

--Amos Shapira
WebCollage
http://www.webcollage.com

Mime
View raw message