You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2001/04/07 03:07:19 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/util URLUtil.java

marcsaeg    01/04/06 18:07:19

  Modified:    src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
               src/share/org/apache/tomcat/util Tag: tomcat_32 URLUtil.java
  Log:
  Fixes a security hole caused by URLs being decoded twice.  The second
  decoding is happening when an InputStream is opened on a file: URL.  The
  security problem does not appear when using JDK1.2.2.
  
  Revision  Changes    Path
  No                   revision
  
  
  No                   revision
  
  
  1.100.2.6 +8 -2      jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
  
  Index: Context.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
  retrieving revision 1.100.2.5
  retrieving revision 1.100.2.6
  diff -u -r1.100.2.5 -r1.100.2.6
  --- Context.java	2001/03/16 23:43:53	1.100.2.5
  +++ Context.java	2001/04/07 01:07:18	1.100.2.6
  @@ -168,6 +168,8 @@
       String vhost=null;
       Vector vhostAliases=new Vector();
       FacadeManager facadeM;
  +
  +    private boolean fileURLBug = URLUtil.hasFileURLBug();	// Saves a synchronized method call for each request
       
       public Context() {
   	defaultContainer=new Container();
  @@ -767,9 +769,13 @@
   	}
   	
   	try {
  -            url=new URL("file", null, 0,realPath );
  +        if(!fileURLBug){
  +            realPath = URLEncoder.encode(realPath);
  +        }
  +        System.out.println("Context.getResource:  realPath = " + realPath);
  +        url=new URL("file", null, 0,realPath );
   	    if( debug>9) log( "getResourceURL=" + url + " request=" + rpath );
  -	    return url;
  +        return url;
   	} catch( IOException ex ) {
   	    ex.printStackTrace();
   	    return null;
  
  
  
  No                   revision
  
  
  No                   revision
  
  
  1.7.2.1   +47 -3     jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java
  
  Index: URLUtil.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v
  retrieving revision 1.7
  retrieving revision 1.7.2.1
  diff -u -r1.7 -r1.7.2.1
  --- URLUtil.java	2000/05/01 23:07:48	1.7
  +++ URLUtil.java	2001/04/07 01:07:19	1.7.2.1
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7 2000/05/01 23:07:48 costin Exp $
  - * $Revision: 1.7 $
  - * $Date: 2000/05/01 23:07:48 $
  + * $Header: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.1 2001/04/07 01:07:19 marcsaeg Exp $
  + * $Revision: 1.7.2.1 $
  + * $Date: 2001/04/07 01:07:19 $
    *
    * ====================================================================
    *
  @@ -65,7 +65,10 @@
   package org.apache.tomcat.util;
   
   import java.net.URL;
  +import java.net.URLConnection;
   import java.io.File;
  +import java.io.FileNotFoundException;
  +import java.io.InputStream;
   import java.net.MalformedURLException;
   import java.io.IOException;
   
  @@ -76,6 +79,9 @@
   
   public class URLUtil {
   
  +    private static boolean fileURLBug = false;
  +    private static boolean fileURLBugChecked = false;
  +
       public static URL resolve(String s)
   	throws MalformedURLException
       {
  @@ -183,4 +189,42 @@
   	    return null;
       }
   
  +    /*
  +     * There was a bug in versions of Suns Java runtime
  +     * in versions prior to 1.3.0 for file: URLs.  In those version
  +     * URL encodings (%HH) were not decoded, in 1.3.0 and later 
  +     * they are.  For example, in 1.2.2, the URL file:%2e would try
  +     * try to open a file called %2e.  In 1.3.0 and later it would
  +     * try to open the current directory (i.e. .).
  +     *
  +     * This extra URL decoding for file: URLs can open severe security
  +     * holes because it causes URLs to be decoded twice.  For example,
  +     * a request URI containing sequences of /%252e%252e would get
  +     * interpreted as sequences of /.. and could escape the web application.
  +     *
  +     * The only way to determine if the current VM suffers from this bug
  +     * of not is to execute a URLConnection.getInputStream() on a file 
  +     * URL
  +     *
  +     */
  +    public static synchronized boolean hasFileURLBug()
  +    {
  +        if(!fileURLBugChecked){
  +            fileURLBugChecked = true;
  +            fileURLBug = false;
  +            try{
  +                System.out.println("URLUtil.hasFileURLBug:  user.dir = " + System.getProperty("user.dir"));
  +                URL url = new URL("file:%2e");
  +                URLConnection con = url.openConnection();
  +                InputStream is = con.getInputStream();
  +            }catch(MalformedURLException e){
  +            }catch(FileNotFoundException e){
  +                fileURLBug = true;
  +            }catch(IOException e){
  +            }
  +        }
  +
  +        System.out.println("URLUtil.hasFileURLBug:  " + fileURLBug);
  +        return fileURLBug;
  +    }
   }