tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From <cmanola...@yahoo.com>
Subject Re: URI handling in tomcat 3.2.3
Date Thu, 13 Sep 2001 17:58:21 GMT
On Thu, 13 Sep 2001, Lars Oppermann wrote:

> > I agree that this URI handling sucks.  I'm the one that
> > committed the change that made it happen and I still
> > think it sucks.  However, allowing these encoded characters
> > opens some very large security problems.
>
>  From what I understand, these security problems are all related to
> mapping URIs to filesystem paths. So how do you feel about doing this
> processing in the filesystem (default) servlet?

It is not related only with the filesystem, but with the whole
security-constraint and servlet-mapping system ( both of them require
exact match and don't take into account 'hacked' URLs that would pass
security constraints and be mapped via extension-mapped or default
servlets ).

In addition, keep in mind the user is allowed to replace the default
servlet, and it may use other file-system dependent servlets. And if we
had so many problems with checking this, I doubt most users will be able
to put the right checks in their servlets.

But this is pointless - as long as a security constraint can be bypassed
by a double-slash or similar things, and you can have extension-mapped
resources ( most very unlikely to do the adequate checks ), I don't think
we can even discuss not normalizing the request.

Costin


Mime
View raw message