You are viewing a plain text version of this content. The canonical link for it is here.

Posted to issues@struts.apache.org by "Musachy Barroso (JIRA)" <ji...@apache.org> on 2009/08/19 06:25:00 UTC

[jira] Resolved: (WW-3142) Convention plugin support for default actionless dispatcher results exposes raw source code of index.jsp files on Google AppEngine

     [ https://issues.apache.org/struts/browse/WW-3142?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Musachy Barroso resolved WW-3142.
---------------------------------

       Resolution: Fixed
    Fix Version/s:     (was: 2.1.9)
                   2.1.8

merged into trunk, thanks for the patch!(and sorry it took me so long to merge)

> Convention plugin support for default actionless dispatcher results exposes raw source code of index.jsp files on Google AppEngine
> ----------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WW-3142
>                 URL: https://issues.apache.org/struts/browse/WW-3142
>             Project: Struts 2
>          Issue Type: Bug
>          Components: Plugin - Convention
>    Affects Versions: 2.1.6
>         Environment: Google AppEngine Java SDK v1.2.1, Struts v2.1.7-SNAPSHOT, xwork-2.1.4
>            Reporter: Kent R. Spillner
>            Assignee: Musachy Barroso
>             Fix For: 2.1.8
>
>         Attachments: struts2-plugin-convention-default-actionless-result.diff
>
>
> As initially documented in [WW-3114], a bug exists in either Struts or AppEngine which causes the raw source code of JSP files under WEB-INF to be served to clients as plain/text.  This potentially is a very serious security hole, although limited in scope.  Although potentially a bug in AppEngine only, I'm logging this as a separate JIRA issue with Struts because I believe Struts can easily be improved to avoid the bug altogether.
> The problem is caused by an extra path separator character at the beginning of the filename "/index.jsp"
> Assume the file WEB-INF/content/index.jsp exists and a request for the URL http://<app>.appspot.com/ then:
> ConventionUnknownHandler#handleUnknownAction() line 136 explicitly sets "/index" as the last path component before the file extension, but that's ok because servletContext.getResource(path) on line 194 returns a non-null value on AppEngine even with the double slash.  The if block beginning on line 141 is skipped because the action name is empty, but line 172 is executed because resource isn't null.  At this point, resource.path still includes the double slash and resource.ext is "jsp"
> This behavior seems correct to me, and nothing explicitly uses the path in ConventionUnknownHandler#buildActionConfig() lines 206-224.  I guess the code that has difficulty with the double slash is buried somewhere in ResultConfig.Builder or ActionConfig.Builder, but I haven't looked into the xwork source yet.
> If anyone has any pointers or suggestions for further promising areas of the code to look into to in order to correctly solve this, I'd greatly appreciate it!
> Thanks in advance!
> Best,
> Kent

-- 
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.