You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@wicket.apache.org by "Sebastiaan van Erk (Created) (JIRA)" <ji...@apache.org> on 2012/02/25 00:41:49 UTC
[jira] [Created] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Possible to retrieve files from WEB-INF (e.g., web.xml).
--------------------------------------------------------
Key: WICKET-4431
URL: https://issues.apache.org/jira/browse/WICKET-4431
Project: Wicket
Issue Type: Bug
Components: wicket
Affects Versions: 1.5.4
Reporter: Sebastiaan van Erk
Priority: Critical
The following URL works to get the web.xml from the WEB-INF directory:
http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WICKET-4431) Possible to retrieve
files from WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216401#comment-13216401 ]
Sebastiaan van Erk edited comment on WICKET-4431 at 2/25/12 10:57 AM:
----------------------------------------------------------------------
I don't really understand how this is a duplicate of WICKET-4430. The problem I'm pointing to in this case is the fact that the / of the servlet context directory is added to the directories searched for resources by default and there is no explicit protection to avoid accessing resources in the WEB-INF directory. This is a different problem then the scoping problem.
That is, the constructor of the WebApplicationPath is as follows:
public WebApplicationPath(final ServletContext servletContext)
{
this.servletContext = servletContext;
// adding root so servlet context resources are always checked
webappPaths.add("/");
}
and an instance of this class is used as a default resource finder.
was (Author: sebster):
I don't really understand how this is a duplicate of WICKET-4430. The problem I'm pointing to in this case is the fact that the / of the servlet context directory is added to the directories searched for resources by default and there is no explicit protection to avoid accessing resources in the WEB-INF directory. This is a different problem then the scoping problem.
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216496#comment-13216496 ]
Peter Ertl commented on WICKET-4431:
------------------------------------
please try with wicket-1.5.x in trunk to see if it works...
and thanks for your help which is greatly appreciated :-)
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Peter Ertl (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl updated WICKET-4431:
-------------------------------
Assignee: Peter Ertl
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4431:
---------------------------------------
Comment: was deleted
(was: As an extra point to show that this is not the same issue, one can also access web.xml using the following URL:
http://localhost:8080/wicket/resource/Default/WEB-INF/web.xml
Where Default is a class in the default package. This would require a class in the default package of course, and you to know it, but this is not as hard to find as one might think (for example, many obfuscators put classes with easily guessable names in the default package such as Za; just using a library with one of those obfuscated classes in it is enough to make this attack work again).
)
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216404#comment-13216404 ]
Sebastiaan van Erk commented on WICKET-4431:
--------------------------------------------
As an extra point to show that this is not the same issue, one can also access web.xml using the following URL:
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216401#comment-13216401 ]
Sebastiaan van Erk commented on WICKET-4431:
--------------------------------------------
I don't really understand how this is a duplicate of WICKET-4430. The problem I'm pointing to in this case is the fact that the / of the servlet context directory is added to the directories searched for resources by default and there is no explicit protection to avoid accessing resources in the WEB-INF directory. This is a different problem then the scoping problem.
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4431:
---------------------------------------
Comment: was deleted
(was: I don't really understand how this is a duplicate of WICKET-4430. The problem I'm pointing to in this case is the fact that the / of the servlet context directory is added to the directories searched for resources by default and there is no explicit protection to avoid accessing resources in the WEB-INF directory. This is a different problem then the scoping problem.
That is, the constructor of the WebApplicationPath is as follows:
public WebApplicationPath(final ServletContext servletContext)
{
this.servletContext = servletContext;
// adding root so servlet context resources are always checked
webappPaths.add("/");
}
and an instance of this class is used as a default resource finder.)
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Commented] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Peter Ertl (Commented) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216495#comment-13216495 ]
Peter Ertl commented on WICKET-4431:
------------------------------------
it should be the same since specifying 'int' did resolve into the default package.
the logic is
org.apache.wicket.application.AbstractClassResolver.resolveClass("int") -> int.class
and
int.class.getPackage() -> null (default package)
in current trunk any class any attempt to access the default package
class.getPackage() == null
is (hopefully) blocked now.
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Issue Comment Edited] (WICKET-4431) Possible to retrieve
files from WEB-INF (e.g., web.xml).
Posted by "Sebastiaan van Erk (Issue Comment Edited) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13216404#comment-13216404 ]
Sebastiaan van Erk edited comment on WICKET-4431 at 2/25/12 11:44 AM:
----------------------------------------------------------------------
As an extra point to show that this is not the same issue, one can also access web.xml using the following URL:
http://localhost:8080/wicket/resource/Default/WEB-INF/web.xml
Where Default is a class in the default package. This would require a class in the default package of course, and you to know it, but this is not as hard to find as one might think (for example, many obfuscators put classes with easily guessable names in the default package such as Za; just using a library with one of those obfuscated classes in it is enough to make this attack work again).
was (Author: sebster):
As an extra point to show that this is not the same issue, one can also access web.xml using the following URL:
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Resolved] (WICKET-4431) Possible to retrieve files from
WEB-INF (e.g., web.xml).
Posted by "Peter Ertl (Resolved) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Peter Ertl resolved WICKET-4431.
--------------------------------
Resolution: Duplicate
this is a duplicate to WICKET-4430
> Possible to retrieve files from WEB-INF (e.g., web.xml).
> --------------------------------------------------------
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Components: wicket
> Affects Versions: 1.5.4
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Critical
>
> The following URL works to get the web.xml from the WEB-INF directory:
> http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
> This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira
[jira] [Updated] (WICKET-4431) test
Posted by "Sebastiaan van Erk (Updated) (JIRA)" <ji...@apache.org>.
[ https://issues.apache.org/jira/browse/WICKET-4431?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Sebastiaan van Erk updated WICKET-4431:
---------------------------------------
Component/s: (was: wicket)
Priority: Trivial (was: Critical)
Description: test (was: The following URL works to get the web.xml from the WEB-INF directory:
http://localhost:8080/wicket/resource/int/WEB-INF/web.xml
This is because the WebApplicationPath constructor by default adds / allowing us to access the resources from the servlet context.)
Affects Version/s: (was: 1.5.4)
Summary: test (was: Possible to retrieve files from WEB-INF (e.g., web.xml).)
> test
> ----
>
> Key: WICKET-4431
> URL: https://issues.apache.org/jira/browse/WICKET-4431
> Project: Wicket
> Issue Type: Bug
> Reporter: Sebastiaan van Erk
> Assignee: Peter Ertl
> Priority: Trivial
>
> test
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators: https://issues.apache.org/jira/secure/ContactAdministrators!default.jspa
For more information on JIRA, see: http://www.atlassian.com/software/jira