You are viewing a plain text version of this content. The canonical link for it is here.
Posted to java-dev@axis.apache.org by "Jarek Gawor (JIRA)" <ji...@apache.org> on 2009/03/23 03:18:50 UTC
[jira] Created: (AXIS2-4282) JarFileClassLoader allows resources to
be loaded from locations outside of the directory specified in its
classpath
JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
-------------------------------------------------------------------------------------------------------------------
Key: AXIS2-4282
URL: https://issues.apache.org/jira/browse/AXIS2-4282
Project: Axis 2.0 (Axis2)
Issue Type: Bug
Components: kernel
Affects Versions: 1.5, nightly
Reporter: Jarek Gawor
Assignee: Jarek Gawor
Fix For: 1.5, nightly
If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688697#action_12688697 ]
Jarek Gawor commented on AXIS2-4282:
------------------------------------
Stoil,
No, it won't. It's the wsdl parser responsibility to resolve "../test.xsd" against "META-INF/dir1/dir2/test.wsdl". That results in META-INF/dir1/test.xsd which then should be passed to the classloader.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Andreas Veithen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen resolved AXIS2-4282.
------------------------------------
Resolution: Fixed
Checked that the behavior is compatible with URLClassLoader and added a unit test. Note that URLClassLoader doesn't seem to adhere strictly to the rules in [1] which forbid ".." altogether. URLClassLoader allows ".." in resource names as long as the resource name doesn't specify a file outside of the directory (e.g. "META-INF/../someother.file"). So no need to further restrict allowable resource names.
[1] http://java.sun.com/j2se/1.4.2/docs/guide/resources/resources.html
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688340#action_12688340 ]
Jarek Gawor commented on AXIS2-4282:
------------------------------------
I'm not too worried about that. In 99.99% cases no one will try to use ".." in resource names unless they are trying to hack something or are doing something totally wrong. But of course, if you want to improve this, please go ahead.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688713#action_12688713 ]
Jarek Gawor commented on AXIS2-4282:
------------------------------------
WSDL parser resolves relative imports based on the location of the document which has those imports. So for example if "META-INF/dir1/dir2/test.wsdl" document has an import on "../test.xsd" then this will resolve to "META-INF/dir1/test.xsd". If the document is a file url or jar url or whatever url, the relative import will still be the same type of url just with the resolved path as described before.
But this issue and fix has nothing to do with how wsdl and xsd imports are handled or resolved. The classloader that is tied to a particular directory must only serve resources and classes from within that directory. The fix ensures that. That's all.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Reopened: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Andreas Veithen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Andreas Veithen reopened AXIS2-4282:
------------------------------------
The fix only rejects resource names such as "META-INF/../../some.file" which would be outside of the directory. We should go one step further and also exclude "META-INF/../someother.file", i.e. any resource name with a ".." component. Indeed, according to the JRE documentation [1]:
"A resource is identified by a String. This String, while possibly empty, is a /-separated sequence of substrings, each a valid Java programming lanaugage identifier, followed by a name of the form "<shortName>" or "<shortName>.<extension>". Both "shortName" and "extension" are composed of valid Java Letters and Numbers (section 3.8 in JLS)."
[1] http://java.sun.com/j2se/1.4.2/docs/guide/resources/resources.html
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Andreas Veithen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688700#action_12688700 ]
Andreas Veithen commented on AXIS2-4282:
----------------------------------------
...except that this is probably not how the WSDL parser works. I didn't look at the code but I bet that the parser would first call getResource and than resolve "../test.xsd" against the returned URL. Since in the case discussed here, this will be a "file:" URL, the WSDL could still reference imports that are located outside of the root directory. (Note that this is actually not a security issue.)
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688204#action_12688204 ]
Jarek Gawor commented on AXIS2-4282:
------------------------------------
Yep. It's fixed in Geronimo too.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Stoil Valchkov (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688620#action_12688620 ]
Stoil Valchkov commented on AXIS2-4282:
---------------------------------------
This fix will actually reject case like import location "../test.xsd" in "META-INF/dir1/dir2/test.wsdl" which is perfectly valid.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Davanum Srinivas (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688201#action_12688201 ]
Davanum Srinivas commented on AXIS2-4282:
-----------------------------------------
Jarek,
JarFileClassLoader was originally from Geronimo...
thanks,
dims
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Resolved: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Jarek Gawor (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Jarek Gawor resolved AXIS2-4282.
--------------------------------
Resolution: Fixed
Committed fixes to trunk (revision 757306) and branches/java/1_5 (revision 757307).
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
[jira] Commented: (AXIS2-4282) JarFileClassLoader allows resources
to be loaded from locations outside of the directory specified in its
classpath
Posted by "Andreas Veithen (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/AXIS2-4282?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12688263#action_12688263 ]
Andreas Veithen commented on AXIS2-4282:
----------------------------------------
I was wondering whether ".." is actually allowed in Java resource names. If not, we should try to implement JarFileClassLoader correctly once and for all.
> JarFileClassLoader allows resources to be loaded from locations outside of the directory specified in its classpath
> -------------------------------------------------------------------------------------------------------------------
>
> Key: AXIS2-4282
> URL: https://issues.apache.org/jira/browse/AXIS2-4282
> Project: Axis 2.0 (Axis2)
> Issue Type: Bug
> Components: kernel
> Affects Versions: 1.5, nightly
> Reporter: Jarek Gawor
> Assignee: Jarek Gawor
> Fix For: 1.5, nightly
>
>
> If JarFileClassLoader contains one classpath entry that is a directory, it will allow resources to be loaded from ANY directory on the file system.
> The JarFileClassLoader should of course only allow resources to be loaded from within the directory specified.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.