You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/05/24 13:39:02 UTC
[tomcat] branch 9.0.x updated: Fix BZ 66609. Correctly escape XML directory listings
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new ae809134ca Fix BZ 66609. Correctly escape XML directory listings
ae809134ca is described below
commit ae809134ca050ef258b87f25717fe8dcc993af5f
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed May 24 14:11:32 2023 +0100
Fix BZ 66609. Correctly escape XML directory listings
Based on #621 by Alex Kachanov
---
build.xml | 4 +-
.../apache/catalina/servlets/DefaultServlet.java | 2 +-
.../catalina/servlets/TestDefaultServlet.java | 34 ++++++++
test/webapp/bug66609/_listing.xslt | 90 ++++++++++++++++++++++
test/webapp/bug66609/a&a.txt | 1 +
test/webapp/bug66609/b'b.txt | 1 +
"test/webapp/bug66609/c\"c.txt" | 1 +
test/webapp/bug66609/d<d.txt | 1 +
test/webapp/bug66609/e>e.txt | 1 +
webapps/docs/changelog.xml | 5 ++
10 files changed, 138 insertions(+), 2 deletions(-)
diff --git a/build.xml b/build.xml
index bb29c06422..abc9b446c8 100644
--- a/build.xml
+++ b/build.xml
@@ -862,6 +862,7 @@
<exclude name="test/webapp-fragments/WEB-INF/classes/*.txt"/>
<exclude name="test/webapp/bug49nnn/*.txt"/>
<exclude name="test/webapp/bug53257/**/*.txt"/>
+ <exclude name="test/webapp/bug66609/*.txt"/>
<exclude name="test/webresources/**/*.txt"/>
<exclude name="**/*.mdl"/>
<exclude name="**/*.pem"/>
@@ -910,8 +911,9 @@
<exclude name=".*/**"/>
<exclude name="**/*.pem"/>
<!-- Exclude simple test files -->
- <exclude name="webapp/bug53257/**/*.txt"/>
<exclude name="webapp/bug49nnn/bug49464*"/>
+ <exclude name="webapp/bug53257/**/*.txt"/>
+ <exclude name="webapp/bug66609/*.txt"/>
<exclude name="webapp-fragments/WEB-INF/classes/*.txt"/>
<exclude name="webresources/**"/>
<!-- Exclude test files with unusual encodings -->
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
index 18c3dd5fd3..27d0dd1df7 100644
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -1726,7 +1726,7 @@ public class DefaultServlet extends HttpServlet {
.append('\'');
sb.append(" urlPath='")
.append(rewrittenContextPath)
- .append(rewriteUrl(directoryWebappPath + entry))
+ .append(Escape.xml(rewriteUrl(directoryWebappPath + entry)))
.append(childResource.isDirectory()?"/":"")
.append('\'');
if (childResource.isFile()) {
diff --git a/test/org/apache/catalina/servlets/TestDefaultServlet.java b/test/org/apache/catalina/servlets/TestDefaultServlet.java
index ac8e269d8a..1b63a64d27 100644
--- a/test/org/apache/catalina/servlets/TestDefaultServlet.java
+++ b/test/org/apache/catalina/servlets/TestDefaultServlet.java
@@ -608,4 +608,38 @@ public class TestDefaultServlet extends TomcatBaseTest {
return true;
}
}
+
+ /*
+ * Bug 66609
+ */
+ @Test
+ public void testXmlDirectoryListing() throws Exception {
+ Tomcat tomcat = getTomcatInstance();
+
+ File appDir = new File("test/webapp");
+ Context ctxt = tomcat.addContext("", appDir.getAbsolutePath());
+
+ Wrapper defaultServlet = Tomcat.addServlet(ctxt, "default", new DefaultServlet());
+ defaultServlet.addInitParameter("listings", "true");
+ defaultServlet.addInitParameter("localXsltFile", "_listing.xslt");
+
+ ctxt.addServletMappingDecoded("/", "default");
+
+ tomcat.start();
+
+ Map<String,List<String>> resHeaders= new HashMap<>();
+ String path = "http://localhost:" + getPort() + "/bug66609/";
+ ByteChunk out = new ByteChunk();
+
+ int rc = getUrl(path, out, resHeaders);
+ Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+ String length = resHeaders.get("Content-Length").get(0);
+ Assert.assertEquals(Long.parseLong(length), out.getLength());
+ out.recycle();
+
+ rc = headUrl(path, out, resHeaders);
+ Assert.assertEquals(HttpServletResponse.SC_OK, rc);
+ Assert.assertEquals(0, out.getLength());
+ Assert.assertEquals(length, resHeaders.get("Content-Length").get(0));
+ }
}
diff --git a/test/webapp/bug66609/_listing.xslt b/test/webapp/bug66609/_listing.xslt
new file mode 100644
index 0000000000..ee132052b1
--- /dev/null
+++ b/test/webapp/bug66609/_listing.xslt
@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+
+<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
+ version="3.0">
+
+ <xsl:output method="html" html-version="5.0"
+ encoding="UTF-8" indent="no"
+ doctype-system="about:legacy-compat"/>
+
+ <xsl:template match="listing">
+ <html>
+ <head>
+ <title>
+ Sample Directory Listing For
+ <xsl:value-of select="@directory"/>
+ </title>
+ <style>
+ h1 {color : white;background-color : #0086b2;}
+ h3 {color : white;background-color : #0086b2;}
+ body {font-family : sans-serif,Arial,Tahoma;
+ color : black;background-color : white;}
+ b {color : white;background-color : #0086b2;}
+ a {color : black;} HR{color : #0086b2;}
+ table td { padding: 5px; }
+ </style>
+ </head>
+ <body>
+ <h1>Sample Directory Listing For
+ <xsl:value-of select="@directory"/>
+ </h1>
+ <hr style="height: 1px;" />
+ <table style="width: 100%;">
+ <tr>
+ <th style="text-align: left;">Filename</th>
+ <th style="text-align: center;">Size</th>
+ <th style="text-align: right;">Last Modified</th>
+ </tr>
+ <xsl:apply-templates select="entries"/>
+ </table>
+ <xsl:apply-templates select="readme"/>
+ <hr style="height: 1px;" />
+ <h3>Apache Tomcat/11.0</h3>
+ </body>
+ </html>
+ </xsl:template>
+
+
+ <xsl:template match="entries">
+ <xsl:apply-templates select="entry"/>
+ </xsl:template>
+
+ <xsl:template match="readme">
+ <hr style="height: 1px;" />
+ <pre><xsl:apply-templates/></pre>
+ </xsl:template>
+
+ <xsl:template match="entry">
+ <tr>
+ <td style="text-align: left;">
+ <xsl:variable name="urlPath" select="@urlPath"/>
+ <a href="{$urlPath}">
+ <pre><xsl:apply-templates/></pre>
+ </a>
+ </td>
+ <td style="text-align: right;">
+ <pre><xsl:value-of select="@size"/></pre>
+ </td>
+ <td style="text-align: right;">
+ <pre><xsl:value-of select="@date"/></pre>
+ </td>
+ </tr>
+ </xsl:template>
+
+</xsl:stylesheet>
\ No newline at end of file
diff --git a/test/webapp/bug66609/a&a.txt b/test/webapp/bug66609/a&a.txt
new file mode 100644
index 0000000000..a0aba9318a
--- /dev/null
+++ b/test/webapp/bug66609/a&a.txt
@@ -0,0 +1 @@
+OK
\ No newline at end of file
diff --git a/test/webapp/bug66609/b'b.txt b/test/webapp/bug66609/b'b.txt
new file mode 100644
index 0000000000..a0aba9318a
--- /dev/null
+++ b/test/webapp/bug66609/b'b.txt
@@ -0,0 +1 @@
+OK
\ No newline at end of file
diff --git "a/test/webapp/bug66609/c\"c.txt" "b/test/webapp/bug66609/c\"c.txt"
new file mode 100644
index 0000000000..a0aba9318a
--- /dev/null
+++ "b/test/webapp/bug66609/c\"c.txt"
@@ -0,0 +1 @@
+OK
\ No newline at end of file
diff --git a/test/webapp/bug66609/d<d.txt b/test/webapp/bug66609/d<d.txt
new file mode 100644
index 0000000000..a0aba9318a
--- /dev/null
+++ b/test/webapp/bug66609/d<d.txt
@@ -0,0 +1 @@
+OK
\ No newline at end of file
diff --git a/test/webapp/bug66609/e>e.txt b/test/webapp/bug66609/e>e.txt
new file mode 100644
index 0000000000..a0aba9318a
--- /dev/null
+++ b/test/webapp/bug66609/e>e.txt
@@ -0,0 +1 @@
+OK
\ No newline at end of file
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 28cc871d8b..71fdb65228 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -123,6 +123,11 @@
virtual threads. This Executor requires a minimum Java version of Java
21. (markt)
</add>
+ <fix>
+ <bug>66609</bug>: Ensure that the default servlet correctly escapes
+ file names in directory listings when using XML output. Based on pull
+ request <pr>621</pr> by Alex Kachanov. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org