You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2001/04/07 03:07:19 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util URLUtil.java
marcsaeg 01/04/06 18:07:19
Modified: src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
src/share/org/apache/tomcat/util Tag: tomcat_32 URLUtil.java
Log:
Fixes a security hole caused by URLs being decoded twice. The second
decoding is happening when an InputStream is opened on a file: URL. The
security problem does not appear when using JDK1.2.2.
Revision Changes Path
No revision
No revision
1.100.2.6 +8 -2 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
Index: Context.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
retrieving revision 1.100.2.5
retrieving revision 1.100.2.6
diff -u -r1.100.2.5 -r1.100.2.6
--- Context.java 2001/03/16 23:43:53 1.100.2.5
+++ Context.java 2001/04/07 01:07:18 1.100.2.6
@@ -168,6 +168,8 @@
String vhost=null;
Vector vhostAliases=new Vector();
FacadeManager facadeM;
+
+ private boolean fileURLBug = URLUtil.hasFileURLBug(); // Saves a synchronized method call for each request
public Context() {
defaultContainer=new Container();
@@ -767,9 +769,13 @@
}
try {
- url=new URL("file", null, 0,realPath );
+ if(!fileURLBug){
+ realPath = URLEncoder.encode(realPath);
+ }
+ System.out.println("Context.getResource: realPath = " + realPath);
+ url=new URL("file", null, 0,realPath );
if( debug>9) log( "getResourceURL=" + url + " request=" + rpath );
- return url;
+ return url;
} catch( IOException ex ) {
ex.printStackTrace();
return null;
No revision
No revision
1.7.2.1 +47 -3 jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java
Index: URLUtil.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v
retrieving revision 1.7
retrieving revision 1.7.2.1
diff -u -r1.7 -r1.7.2.1
--- URLUtil.java 2000/05/01 23:07:48 1.7
+++ URLUtil.java 2001/04/07 01:07:19 1.7.2.1
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7 2000/05/01 23:07:48 costin Exp $
- * $Revision: 1.7 $
- * $Date: 2000/05/01 23:07:48 $
+ * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.1 2001/04/07 01:07:19 marcsaeg Exp $
+ * $Revision: 1.7.2.1 $
+ * $Date: 2001/04/07 01:07:19 $
*
* ====================================================================
*
@@ -65,7 +65,10 @@
package org.apache.tomcat.util;
import java.net.URL;
+import java.net.URLConnection;
import java.io.File;
+import java.io.FileNotFoundException;
+import java.io.InputStream;
import java.net.MalformedURLException;
import java.io.IOException;
@@ -76,6 +79,9 @@
public class URLUtil {
+ private static boolean fileURLBug = false;
+ private static boolean fileURLBugChecked = false;
+
public static URL resolve(String s)
throws MalformedURLException
{
@@ -183,4 +189,42 @@
return null;
}
+ /*
+ * There was a bug in versions of Suns Java runtime
+ * in versions prior to 1.3.0 for file: URLs. In those version
+ * URL encodings (%HH) were not decoded, in 1.3.0 and later
+ * they are. For example, in 1.2.2, the URL file:%2e would try
+ * try to open a file called %2e. In 1.3.0 and later it would
+ * try to open the current directory (i.e. .).
+ *
+ * This extra URL decoding for file: URLs can open severe security
+ * holes because it causes URLs to be decoded twice. For example,
+ * a request URI containing sequences of /%252e%252e would get
+ * interpreted as sequences of /.. and could escape the web application.
+ *
+ * The only way to determine if the current VM suffers from this bug
+ * of not is to execute a URLConnection.getInputStream() on a file
+ * URL
+ *
+ */
+ public static synchronized boolean hasFileURLBug()
+ {
+ if(!fileURLBugChecked){
+ fileURLBugChecked = true;
+ fileURLBug = false;
+ try{
+ System.out.println("URLUtil.hasFileURLBug: user.dir = " + System.getProperty("user.dir"));
+ URL url = new URL("file:%2e");
+ URLConnection con = url.openConnection();
+ InputStream is = con.getInputStream();
+ }catch(MalformedURLException e){
+ }catch(FileNotFoundException e){
+ fileURLBug = true;
+ }catch(IOException e){
+ }
+ }
+
+ System.out.println("URLUtil.hasFileURLBug: " + fileURLBug);
+ return fileURLBug;
+ }
}