You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2001/04/06 04:45:48 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java WebdavServlet.java
remm 01/04/05 19:45:48
Modified: catalina/src/share/org/apache/catalina/servlets
DefaultServlet.java WebdavServlet.java
Log:
- Add addiotional check to prevent using DELETE and PUT on URLs
starting with /WEB-INF and /META-INF.
Revision Changes Path
1.35 +16 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
Index: DefaultServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- DefaultServlet.java 2001/04/05 18:47:50 1.34
+++ DefaultServlet.java 2001/04/06 02:45:48 1.35
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v 1.34 2001/04/05 18:47:50 remm Exp $
- * $Revision: 1.34 $
- * $Date: 2001/04/05 18:47:50 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v 1.35 2001/04/06 02:45:48 remm Exp $
+ * $Revision: 1.35 $
+ * $Date: 2001/04/06 02:45:48 $
*
* ====================================================================
*
@@ -122,7 +122,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.34 $ $Date: 2001/04/05 18:47:50 $
+ * @version $Revision: 1.35 $ $Date: 2001/04/06 02:45:48 $
*/
public class DefaultServlet
@@ -575,6 +575,12 @@
String path = getRelativePath(req);
+ if ((path.toUpperCase().startsWith("/WEB-INF")) ||
+ (path.toUpperCase().startsWith("/META-INF"))) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
+
// Looking for a Content-Range header
if (req.getHeader("Content-Range") != null) {
// No content range header is supported
@@ -636,6 +642,12 @@
}
String path = getRelativePath(req);
+
+ if ((path.toUpperCase().startsWith("/WEB-INF")) ||
+ (path.toUpperCase().startsWith("/META-INF"))) {
+ resp.sendError(HttpServletResponse.SC_FORBIDDEN);
+ return;
+ }
// Retrieve the Catalina context
// Retrieve the resources
1.17 +10 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Index: WebdavServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- WebdavServlet.java 2001/04/05 19:03:08 1.16
+++ WebdavServlet.java 2001/04/06 02:45:48 1.17
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v 1.16 2001/04/05 19:03:08 remm Exp $
- * $Revision: 1.16 $
- * $Date: 2001/04/05 19:03:08 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v 1.17 2001/04/06 02:45:48 remm Exp $
+ * $Revision: 1.17 $
+ * $Date: 2001/04/06 02:45:48 $
*
* ====================================================================
*
@@ -125,7 +125,7 @@
* are handled by the DefaultServlet.
*
* @author Remy Maucherat
- * @version $Revision: 1.16 $ $Date: 2001/04/05 19:03:08 $
+ * @version $Revision: 1.17 $ $Date: 2001/04/06 02:45:48 $
*/
public class WebdavServlet
@@ -1685,6 +1685,12 @@
private boolean deleteResource(String path, HttpServletRequest req,
HttpServletResponse resp)
throws ServletException, IOException {
+
+ if ((path.toUpperCase().startsWith("/WEB-INF")) ||
+ (path.toUpperCase().startsWith("/META-INF"))) {
+ resp.sendError(WebdavStatus.SC_FORBIDDEN);
+ return false;
+ }
String ifHeader = req.getHeader("If");
if (ifHeader == null)