You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/11/18 01:09:44 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/facade ServletContextFacade.java

craigmcc    00/11/17 16:09:44

  Modified:    src/etc  Tag: tomcat_32 server.xml
               src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
               src/share/org/apache/tomcat/facade Tag: tomcat_32
                        ServletContextFacade.java
  Log:
  Implement a configuration option to disable ServletContext.getContext()
  from returning the ServletContext for a different web application,
  possibly allowing a malicious webapp to bypass security constraints.  This
  is in accordance with the JavaDoc comments for this method, which state:
  
  	"In a security conscious environment, the servlet
  	container may return null for a given URL."
  
  The default setting allows access to other contexts, because this was the
  previous behavior (and is the default behavior in Tomcat 4.0 at the
  moment as well).
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.29.2.9  +4 -1      jakarta-tomcat/src/etc/server.xml
  
  Index: server.xml
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/etc/server.xml,v
  retrieving revision 1.29.2.8
  retrieving revision 1.29.2.9
  diff -u -r1.29.2.8 -r1.29.2.9
  --- server.xml	2000/11/07 22:52:38	1.29.2.8
  +++ server.xml	2000/11/18 00:09:42	1.29.2.9
  @@ -264,7 +264,8 @@
   
                Defaults are: debug=0, reloadable=true, trusted=false
                (trusted allows you to access tomcat internal objects 
  -              with FacadeManager )
  +             with FacadeManager ), crossContext=true (allows you to
  +             access other contexts via ServletContext.getContext())
    
                If security manager is enabled, you'll have read perms.
                in the webapps dir and read/write in the workdir.
  @@ -272,6 +273,7 @@
   
           <Context path="/examples" 
                    docBase="webapps/examples" 
  +                 crossContext="false"
                    debug="0" 
                    reloadable="true" > 
           </Context>
  @@ -286,6 +288,7 @@
             -->
           <Context path="/admin" 
                    docBase="webapps/admin" 
  +                 crossContext="true"
                    debug="0" 
                    reloadable="true" 
                    trusted="false" > 
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.100.2.4 +12 -1     jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
  
  Index: Context.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
  retrieving revision 1.100.2.3
  retrieving revision 1.100.2.4
  diff -u -r1.100.2.3 -r1.100.2.4
  --- Context.java	2000/10/11 00:24:44	1.100.2.3
  +++ Context.java	2000/11/18 00:09:42	1.100.2.4
  @@ -111,7 +111,7 @@
       // internal state / related objects
       private ContextManager contextM;
       private ServletContext contextFacade;
  -
  +    private boolean crossContext = true;
       private ServletLoader servletL;
       boolean reloadable=true; // XXX change default to false after testing
   
  @@ -194,6 +194,14 @@
   	contextM=cm;
       }
   
  +    public boolean getCrossContext() {
  +        return (this.crossContext);
  +    }
  +
  +    public void setCrossContext(boolean crossContext) {
  +        this.crossContext = crossContext;
  +    }
  +
       public FacadeManager getFacadeManager() {
   	if( facadeM==null ) {
   	    /* XXX make it configurable
  @@ -726,6 +734,9 @@
   	    // if we can't  return a servlet, so it's more probable
   	    // servlets will check for null than IllegalArgument
   	}
  +        // Return null if cross context lookups are not allowed
  +        if (!crossContext)
  +            return null;
   	// absolute path
   	Request lr=contextM.createRequest( path );
   	if( vhost != null ) lr.setServerName( vhost );
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.3.2.2   +4 -1      jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/ServletContextFacade.java
  
  Index: ServletContextFacade.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/ServletContextFacade.java,v
  retrieving revision 1.3.2.1
  retrieving revision 1.3.2.2
  diff -u -r1.3.2.1 -r1.3.2.2
  --- ServletContextFacade.java	2000/11/10 06:42:49	1.3.2.1
  +++ ServletContextFacade.java	2000/11/18 00:09:44	1.3.2.2
  @@ -97,7 +97,10 @@
       // -------------------- Public facade methods --------------------
       public ServletContext getContext(String path) {
           Context target=context.getContext(path);
  -	return target.getFacade();
  +        if (target != null)
  +            return target.getFacade();
  +        else
  +            return null;
       }