Re: Xerces Parser Security and Path Problems

["Craig R. McClanahan" <cr...@apache.org>]

On Wed, 14 Nov 2001, Frank Lawlor wrote:

> Date: Wed, 14 Nov 2001 12:51:37 -0600
> From: Frank Lawlor <fr...@athensgroup.com>
> Reply-To: Tomcat Users List <to...@jakarta.apache.org>,
>      frank.lawlor@athensgroup.com
> To: "Tomcat (E-mail)" <to...@jakarta.apache.org>
> Subject: Xerces Parser Security and Path Problems
>
> I encountered  a couple of problems trying to use
> xerces and security in my application.
>
> BUG 1:
>
> I have xerces.jar in myapp/WEB-INF/lib.  This works
> fine until I turn on security (-security switch) which
> uses conf/catalina.policy.
>
> I added a permission for my application to do anything:
>    grant codeBase "file:${catalina.home}/webapps/myapp/-" {
>         permission java.security.AllPermission;
>    };
>
> This works fine except when I invoke xerces:
>         XMLReader xr = XMLReaderFactory.createXMLReader();
> 	...
>         xr.parse(my_xml_file);
>
> I get an access violation on the file (which is in myapp).
>
> If I move xerces.jar to common/lib this error goes away.
>
> There seems to be a problem related to security when loading
> jars from WEB-INF/lib.  This was reported earlier by Sergey V. Udaltsov
> in the post titled "policy for classes in WEB-INF/lib/my.jar".
>

It's not clear to me that this is a bug.

The exception goes away because the default catalina.policy grants all
permissions to code loaded from the common/lib directory.  If you want an
individual webapp to access files, you need to grant specific file
permissions to it -- see the examples at the bottom of
"conf/catalina.policy" for hints on how to do this.

Note that this would be required even if you wanted to use file I/O
directly in your servlet (as opposed to indirectly via the parser) -- the
default policy file completely disables file access for classes loaded
from /WEB-INF/classes or /WEB-INF/lib of your webapp.

> BUG 2:
>
> FURTHER, moving xerces.jar to common/lib seems to introduce
> its own problem related to the handling of DTDs.  A couple of my
> xml files have DTD specs like:
>    <!DOCTYPE links SYSTEM "../Links.dtd">
>
> I found that the parser computes the path relative to the startup
> directory of catalina, rather than relative to the location of the
> xml file.  It does not do this when it is in WEB-INF/lib.  This is
> clearly unusable since the web app author has no idea where
> the startup dir will be and no way to get the DTDs there.
>

How relative URLs are interpreted is up to the parser, not to Tomcat.  My
understanding is that they were supposed to be relative to the URL of the
document itself -- but you'd have to ask the Xerces folks what they are
asuming.

One thing I generally do is to implement an EntityResolver so that I can
redirect these kinds of things in an application-specific way.

>
> Am I missing something here on how this is supposed to
> operate or are these legitimate bugs?
>
> Frank Lawlor
> Athens Group, Inc.
> (512) 345-0600 x151
> Athens Group, an employee-owned consulting firm integrating technology
> strategy and software solutions.
>

Craig


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>