Return-Path: Delivered-To: apmail-struts-commits-archive@locus.apache.org Received: (qmail 20153 invoked from network); 22 Aug 2008 15:23:50 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.2) by minotaur.apache.org with SMTP; 22 Aug 2008 15:23:50 -0000 Received: (qmail 99808 invoked by uid 500); 22 Aug 2008 15:23:48 -0000 Delivered-To: apmail-struts-commits-archive@struts.apache.org Received: (qmail 99431 invoked by uid 500); 22 Aug 2008 15:23:46 -0000 Mailing-List: contact commits-help@struts.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@struts.apache.org Delivered-To: mailing list commits@struts.apache.org Received: (qmail 99422 invoked by uid 99); 22 Aug 2008 15:23:46 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Aug 2008 08:23:46 -0700 X-ASF-Spam-Status: No, hits=-2000.0 required=10.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.4] (HELO eris.apache.org) (140.211.11.4) by apache.org (qpsmtpd/0.29) with ESMTP; Fri, 22 Aug 2008 15:22:57 +0000 Received: by eris.apache.org (Postfix, from userid 65534) id 5661923889C2; Fri, 22 Aug 2008 08:22:57 -0700 (PDT) Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Subject: svn commit: r688095 - /struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java Date: Fri, 22 Aug 2008 15:22:57 -0000 To: commits@struts.apache.org From: musachy@apache.org X-Mailer: svnmailer-1.0.8 Message-Id: <20080822152257.5661923889C2@eris.apache.org> X-Virus-Checked: Checked by ClamAV on apache.org Author: musachy Date: Fri Aug 22 08:22:56 2008 New Revision: 688095 URL: http://svn.apache.org/viewvc?rev=688095&view=rev Log: WW-2779 Directory traversal vulnerability while serving static content Modified: struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java Modified: struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java URL: http://svn.apache.org/viewvc/struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java?rev=688095&r1=688094&r2=688095&view=diff ============================================================================== --- struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java (original) +++ struts/struts2/trunk/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java Fri Aug 22 08:22:56 2008 @@ -69,6 +69,30 @@ assertEquals(0, res.getContentLength()); } + public void testInvalidRersources2() throws IOException { + contentLoader.findStaticResource("/struts/..", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources3() throws IOException { + contentLoader.findStaticResource("/struts/../othertest.properties", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources4() throws IOException { + contentLoader.findStaticResource("/struts/..%252f", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + + public void testInvalidRersources5() throws IOException { + contentLoader.findStaticResource("/struts/..%252fothertest.properties", req, res); + assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus()); + assertEquals(0, res.getContentLength()); + } + @Override protected void setUp() throws Exception { super.setUp();