You are viewing a plain text version of this content. The canonical link for it is here.

Posted to commits@servicecomb.apache.org by GitBox <gi...@apache.org> on 2021/12/08 09:30:22 UTC

[GitHub] [servicecomb-java-chassis] z00283015 opened a new issue #2659: 文件上传临时目录属主不对时，cse会抛出java.nio.file.AccessDeniedException异常，但此异常没有办法捕获，导致异常信息直接被抛到客户端，泄漏服务器路径

z00283015 opened a new issue #2659:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2659


   问题现象：
   业务上传功能的临时文件目录的属主不对，不是业务用户，而是root用户：
   ![image](https://user-images.githubusercontent.com/46476965/145182666-ce34cb7e-e1b2-45d8-97ba-50b9cb7ddbbe.png)
   用户在web页面使用上传功能后，接口报错，查看接口响应，发现报错信息里暴露了服务器的路径信息：
   ![image](https://user-images.githubusercontent.com/46476965/145183134-f1338ea5-1354-4b9c-874c-80aac793c18c.png)
   经过查找，发现会在cse_run.log里打印出这段异常信息：
   ![image](https://user-images.githubusercontent.com/46476965/145183314-e611f77b-fe52-4ef0-9bd1-2a3d10460384.png)
   经过尝试，这个异常无法通过下面这个wiki里的几种方法，进行捕获：
   https://servicecomb.apache.org/references/java-chassis/zh_CN/general-development/error-handling.html
   后来，咨询了刘宝，得到结论是这个异常捕获不到：
   但由于这个问题会导致服务器路径泄漏，属于安全问题，因此建议做下优化，请帮忙处理下，谢谢：）


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 commented on issue #2659: 文件上传临时目录属主不对时，cse会抛出java.nio.file.AccessDeniedException异常，但此异常没有办法捕获，导致异常信息直接被抛到客户端，泄漏服务器路径信息

Posted by GitBox <gi...@apache.org>.

liubao68 commented on issue #2659:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2659#issuecomment-1082654637


   fixed in 2.7.0


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org

[GitHub] [servicecomb-java-chassis] liubao68 closed issue #2659: 文件上传临时目录属主不对时，cse会抛出java.nio.file.AccessDeniedException异常，但此异常没有办法捕获，导致异常信息直接被抛到客户端，泄漏服务器路径信息

Posted by GitBox <gi...@apache.org>.

liubao68 closed issue #2659:
URL: https://github.com/apache/servicecomb-java-chassis/issues/2659


   


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@servicecomb.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org