jsp:include security question

[Pat Schaider <pa...@cider.fakkir.net>]

Hello --

I am trying to get a new Tomcat system configured for my school's CS
department.  We want to use version 4 (I am working with 4.0.2).

We need a system that lets students keep their files private, to make sure
that nobody cheats by stealing somebody's servlets or jsp.  I am testing
it out to make sure that student1 cannot access the files of 
student2.  Also I should note that students will not be logging in to this
box so standard file permissions will not cut it.  Students will upload
all files through a script utility, so all files will be owned bt that
user.

The problem is this: with a more-or-less default installation of Tomcat
using the security manager, in a jsp:include you can access outside of
your context using ../../../ .  Note that in other forms of reading the
files, the security manager correctly prohibits access (both in a
jsp:include giving the real path, and in standard programmatic file 
opening with real and ../ paths).  It's just in the case of the include
with relative path that it allows access to others' files.

Here's a sample line of a jsp that should generate an error, but
doesn't.  The contexts are foo1/ and foo2/, they are defined in separate
context tags.  This line is from a file in foo1/.
<jsp:include page="../../../foo2/jsp/include/junk.txt"/>

That line allows the script in foo1 to access the file in foo2/.  The same
path in a BufferedReader causes an error.

Somebody please help me.  Is this a configuration error, a bug, or am I
just being thick-headed about it???

Thanks for your time.

--==pat schaider==--
pat@cider.fakkir.net


--
To unsubscribe:   <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>