You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by cr...@locus.apache.org on 2000/03/26 03:58:27 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/servlets DefaultServlet.java
craigmcc 00/03/25 17:58:26
Modified: src/share/org/apache/tomcat/core Context.java
src/share/org/apache/tomcat/servlets DefaultServlet.java
Log:
Partial fix for the "absolute paths starting with '\' under Windows" problem.
The default servlet now serves files correctly, but there are still problems with
class loading, indicating that something in the class path setters is still treating
these paths as relative (probably because it's calling java.io.File.isAbsolute() instead of
our work-around solution org.apache.tomcat.util.FileUtil.isAbsolute()).
PR:44
Submitted by: jamesm@webxi.com
Revision Changes Path
1.71 +3 -4 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
Index: Context.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
retrieving revision 1.70
retrieving revision 1.71
diff -u -r1.70 -r1.71
--- Context.java 2000/03/21 19:19:40 1.70
+++ Context.java 2000/03/26 01:58:26 1.71
@@ -739,7 +739,7 @@
String realPath= this.getDocBase() + mappedPath;
- if (!(new File(realPath).isAbsolute()))
+ if (!FileUtil.isAbsolute(realPath))
realPath = contextM.getHome() + "/" + realPath;
// Probably not needed - it will be used on the local FS
@@ -885,7 +885,7 @@
if( contextInterceptors.size() == 0 ) {
// this context was not set up with individual interceptors.
// XXX no test done for context-specific interceptors, this will be the normal
- // case, we need to find out what is the best behavior and config
+ // case, we need to find out what is the best behavior and config
return contextM.getContextInterceptors();
}
if( cInterceptors == null || cInterceptors.length != contextInterceptors.size()) {
@@ -916,7 +916,7 @@
if( requestInterceptors.size() == 0 ) {
// this context was not set up with individual interceptors.
// XXX no test done for context-specific interceptors, this will be the normal
- // case, we need to find out what is the best behavior and config
+ // case, we need to find out what is the best behavior and config
return contextM.getRequestInterceptors();
}
if( rInterceptors == null || rInterceptors.length != requestInterceptors.size()) {
@@ -964,7 +964,6 @@
// Used only by startup, will be removed
this.documentBase=s;
}
-
}
1.10 +30 -30 jakarta-tomcat/src/share/org/apache/tomcat/servlets/DefaultServlet.java
Index: DefaultServlet.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/servlets/DefaultServlet.java,v
retrieving revision 1.9
retrieving revision 1.10
diff -u -r1.9 -r1.10
--- DefaultServlet.java 2000/03/16 20:43:24 1.9
+++ DefaultServlet.java 2000/03/26 01:58:26 1.10
@@ -3,7 +3,7 @@
*
* The Apache Software License, Version 1.1
*
- * Copyright (c) 1999 The Apache Software Foundation. All rights
+ * Copyright (c) 1999 The Apache Software Foundation. All rights
* reserved.
*
* Redistribution and use in source and binary forms, with or without
@@ -11,7 +11,7 @@
* are met:
*
* 1. Redistributions of source code must retain the above copyright
- * notice, this list of conditions and the following disclaimer.
+ * notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
@@ -19,15 +19,15 @@
* distribution.
*
* 3. The end-user documentation included with the redistribution, if
- * any, must include the following acknowlegement:
- * "This product includes software developed by the
+ * any, must include the following acknowlegement:
+ * "This product includes software developed by the
* Apache Software Foundation (http://www.apache.org/)."
* Alternately, this acknowlegement may appear in the software itself,
* if and wherever such third-party acknowlegements normally appear.
*
* 4. The names "The Jakarta Project", "Tomcat", and "Apache Software
* Foundation" must not be used to endorse or promote products derived
- * from this software without prior written permission. For written
+ * from this software without prior written permission. For written
* permission, please contact apache@apache.org.
*
* 5. Products derived from this software may not be called "Apache"
@@ -55,7 +55,7 @@
*
* [Additional notices, if required by prior licensing conditions]
*
- */
+ */
package org.apache.tomcat.servlets;
import org.apache.tomcat.core.*;
@@ -69,7 +69,7 @@
import javax.servlet.http.*;
/**
- *
+ *
* @author James Duncan Davidson [duncan@eng.sun.com]
* @author Jason Hunter [jch@eng.sun.com]
* @author James Todd [gonzo@eng.sun.com]
@@ -82,11 +82,11 @@
private Context context;
String docBase;
int debug=0;
-
+
public void init() throws ServletException {
contextF = getServletContext();
context = ((ServletContextFacade)getServletContext()).getRealContext();
-
+
// doesn't change - set it in init!
docBase = context.getDocBase();
if (! docBase.endsWith("/")) {
@@ -94,10 +94,10 @@
}
// ensure docBase relative to home
- if (!(new File(docBase)).isAbsolute())
+ if (!FileUtil.isAbsolute(docBase))
docBase = context.getContextManager().getHome() + "/" + docBase;
- // debug
+ // debug
String dbg=getServletConfig().getInitParameter("debug");
if( dbg!=null) debug=1;
}
@@ -123,10 +123,10 @@
requestURI = request.getRequestURI();
}
- // Clean up pathInfo
+ // Clean up pathInfo
File file = new File(docBase + pathInfo);
String absPath = file.getAbsolutePath();
-
+
if( debug > 0 ) contextF.log( "DefaultServlet: " + absPath);
// take care of File.getAbsolutePath() troubles on
@@ -145,7 +145,7 @@
// check for welcome file
String welcomeFile = getWelcomeFile(file);
if( debug > 0 ) contextF.log( "DefaultServlet: welcome file: " + welcomeFile);
-
+
if (welcomeFile != null) {
if (requestURI.endsWith("/")) {
String path = requestURI;
@@ -244,28 +244,28 @@
absPath = FileUtil.patch(absPath);
// This absPath/canPath comparison plugs security holes...
- // On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20"
+ // On Windows, makes "x.jsp.", "x.Jsp", and "x.jsp%20"
// return 404 instead of the JSP source
// On all platforms, makes sure we don't let ../'s through
// Unfortunately, on Unix, it prevents symlinks from working
// So, a check for File.separatorChar='\\' ..... It hopefully
// happens on flavors of Windows.
- if (File.separatorChar == '\\') {
+ if (File.separatorChar == '\\') {
// On Windows check ignore case....
if(!absPath.equalsIgnoreCase(canPath)) {
response.sendError(response.SC_NOT_FOUND);
return;
}
} else {
- // The following code on Non Windows disallows ../
- // in the path but also disallows symlinks....
- //
+ // The following code on Non Windows disallows ../
+ // in the path but also disallows symlinks....
+ //
// if(!absPath.equals(canPath)) {
// response.sendError(response.SC_NOT_FOUND);
// return;
// }
// instead lets look for ".." in the absolute path
- // and disallow only that.
+ // and disallow only that.
// Why should we loose out on symbolic links?
//
@@ -314,7 +314,7 @@
private void serveStream(InputStream in, HttpServletRequest request,
HttpServletResponse response)
throws IOException {
- // XXX
+ // XXX
// ok, here we are trying to figure out if the response has
// already been started with a stream or a writer. We really
// need to move these flags into the Request and Response objects
@@ -352,7 +352,7 @@
out.write(buf, 0, read);
}
}
-
+
private boolean isFileMasked(String docBase, String requestedFile) {
for (int i = 0; i < Constants.MASKED_DIR.length; i++) {
String maskFile = Constants.MASKED_DIR[i];
@@ -390,7 +390,7 @@
// genericize this! put it into another class! especially
// important as we should be able to dive into archives
// and get this same kind of information in the furture.
-
+
boolean shaderow = false;
// Make sure that we don't let ../'s through
@@ -403,22 +403,22 @@
absPath = FileUtil.patch(absPath);
- if (File.separatorChar == '\\') {
+ if (File.separatorChar == '\\') {
// On Windows check ignore case....
if(!absPath.equalsIgnoreCase(canPath)) {
response.sendError(response.SC_NOT_FOUND);
return;
}
} else {
- // The following code on Non Windows disallows ../
- // in the path but also disallows symlinks....
- //
+ // The following code on Non Windows disallows ../
+ // in the path but also disallows symlinks....
+ //
// if(!absPath.equals(canPath)) {
// response.sendError(response.SC_NOT_FOUND);
// return;
// }
// instead lets look for ".." in the absolute path
- // and disallow only that.
+ // and disallow only that.
// Why should we loose out on symbolic links?
//
@@ -463,7 +463,7 @@
files.addElement(f);
}
}
-
+
// Pre-calculate the request URI for efficiency
String requestURI = request.getRequestURI();
@@ -526,7 +526,7 @@
buf.append("<a href=\"" + toPath + "\"><tt>Up to: " + toPath);
buf.append("</tt></a></td></tr>\r\n");
}
-
+
if (dirs.size() > 0) {
buf.append("<tr><td colspan=3 bgcolor=#cccccc>");
buf.append("<font size=+2><strong>Subdirectories:</strong>\r\n");