You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by Glenn Nielsen <gl...@voyager.apg.more.net> on 2001/08/11 02:22:59 UTC
Re: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/httpHttpProcessor.java
"Craig R. McClanahan" wrote:
>
> On Fri, 10 Aug 2001, Incze Lajos wrote:
>
> > On Thu, Aug 09, 2001 at 07:43:00PM -0000, craigmcc@apache.org wrote:
> > > craigmcc 01/08/09 12:43:00
> > >
> > ...
> > > Make request URIs the contain "/..." (or any longer series of periods)
> > > invalid. On some (all?) Windows platforms, this causes the OS to walk the
> > > directory tree just like "../../.." type sequences do.
> > ...
> >
> > Is this a "feature" (I mean a documented thing) or a bug?
>
> IMHO it's a bug in the operating system, and it was a security flaw in
> Tomcat (which is not supposed to let you reference *anything* outside your
> web app's context).
>
> > And: if a bug
> > then - just theoretically - is that a goood decision to program for bugs?
>
> What other choice would we have? Without doing this, there's nothing
> Tomcat could do to stop you from snooping the server's entire hard
> drive. And users would rightly say that Tomcat is broken if that were
> allowed.
>
There is an easy way to protect the server without using custom code
to overcome some OS bug, start Tomcat with -security and use a security
policy which uses java.io.FilePermission's to restrict access to
directories and files. :-)
This is a very good example of why you should use the Java SecurityManager.
Regards,
Glenn
----------------------------------------------------------------------
Glenn Nielsen glenn@more.net | /* Spelin donut madder |
MOREnet System Programming | * if iz ina coment. |
Missouri Research and Education Network | */ |
----------------------------------------------------------------------