You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/05/08 21:16:31 UTC

cvs commit: jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/resources StandardResources.java

craigmcc    00/05/08 12:16:27

  Modified:    proposals/catalina/src/share/org/apache/tomcat/resources
                        StandardResources.java
  Log:
  Avoid potential security problem (trying to use ../../.. to go outside of your
  context's document root) by refusing to return resources for paths that
  include "/.." in them.  A better solution would be to canonicalize the
  resulting path and validate that it's still within the context's document
  space.
  
  Revision  Changes    Path
  1.6       +8 -4      jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/resources/StandardResources.java
  
  Index: StandardResources.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/resources/StandardResources.java,v
  retrieving revision 1.5
  retrieving revision 1.6
  diff -u -r1.5 -r1.6
  --- StandardResources.java	2000/05/05 22:45:38	1.5
  +++ StandardResources.java	2000/05/08 19:16:25	1.6
  @@ -1,7 +1,7 @@
   /*
  - * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/resources/StandardResources.java,v 1.5 2000/05/05 22:45:38 craigmcc Exp $
  - * $Revision: 1.5 $
  - * $Date: 2000/05/05 22:45:38 $
  + * $Header: /home/cvs/jakarta-tomcat/proposals/catalina/src/share/org/apache/tomcat/resources/StandardResources.java,v 1.6 2000/05/08 19:16:25 craigmcc Exp $
  + * $Revision: 1.6 $
  + * $Date: 2000/05/08 19:16:25 $
    *
    * ====================================================================
    *
  @@ -101,7 +101,7 @@
    * </ul>
    *
    * @author Craig R. McClanahan
  - * @version $Revision: 1.5 $ $Date: 2000/05/05 22:45:38 $
  + * @version $Revision: 1.6 $ $Date: 2000/05/08 19:16:25 $
    */
   
   public final class StandardResources
  @@ -430,6 +430,8 @@
   
   	if (path == null)
   	    return (null);
  +	if (path.indexOf("/..") >= 0)
  +	    return (null);  // Refuse to interpret relative paths
   
   	// Deal with URL-based document root
   	if (fileBase == null) {
  @@ -481,6 +483,8 @@
   
   	if (path == null)
   	    return (null);
  +	if (path.indexOf("/..") >= 0)
  +	    return (null);  // Refuse to interpret relative paths
   
   	// Deal with URL-based document root
   	if (fileBase == null) {