You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by christopher hull <ch...@mediagate.com> on 2001/03/15 02:12:08 UTC

pathTranslated and pathInfo... More unsafe paths

But wait...
/WEB-INF/../../env.xml
is inside of
/WEB-INF/../env.xml
(see example below)

Do you have to specify all the sub-directories that a webapp uses?

Also, I've noticed an interesting and occasionsl unsafe path where a 
space is being introduced just before the path I supply to 
getResourceAsStream.

If I say servContext.getResourceAsStream("\path\foo.html");
I occasionally get an exception stating an unsafe path of...
w:\foo\bar\tomcat\webapps \path\foo.html

A space is being introduced just before the path I supply, but only 
sometimes.

Is there a reliable way to get the document root?
PathTranslated and PathInfo don't work the way they used to.

Running Tomcat 3.2.1

-Chris



Larry Isaacs wrote:

 > David,
 >
 > For security, web applications aren't allow to access files outside
 > of the web application.  That is why /WEB-INF/../env.xml is okay
 > and /WEB-INF/../../env.xml isn't.
 >
 > Larry
 >
 > -----Original Message-----
 > From: David Soroko [mailto:davids@mannanetwork.com]
 > Sent: Tuesday, March 13, 2001 7:53 AM
 > To: tomcat-dev@jakarta.apache.org
 > Subject: Unsafe path ?
 >
 >
 > Hi all
 >>From within a servlet I am trying to read a file in the following way
 > getServletContext().getResourceAsStream(getInitParameter("envFile"));
 > When the parameter envFile has the value /WEB-INF/../../env.xml
 > I am getting the following message from Tomcat:
 > Unsafe path D:\Jupiter\tomcat\webapps\dir1\dir2\dir3 
/WEB-INF/../../env.xml
 > Any ideas why is that?
 > Interestingly, when the parameter envFile has the value 
/WEB-INF/../env.xml
 > Tomcat has no problems reading the file.
 > This is on Tomcat 3.2/Wintel.
 > TIA


-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card http://web.mediagate.com/chris.hull
iPost Voice 408 261 7201
email chris.hull@mediagate.com

Re: pathTranslated and pathInfo... More unsafe paths

Posted by christopher hull <ch...@mediagate.com>.

Craig R. McClanahan wrote:

> 
> On Wed, 14 Mar 2001, christopher hull wrote:
> 
> 
>> Wow!  Thanks for the quick response.
>> 
>> The problem it turns out has nothing to do with spaces.  When 
>> getResourceAsStream() can't find a resource, it displays a space just 
>> after the root for convenience.  It turns out that getResourceAsStream
>>   is case sensitive.  Is there a way to tell getResourceAsStream
>>   not to be?
>> 
> 
> 
> Servlets are case sensitive.  Tomcat 3.1 and 3.2 (without the .1
> updates) had problems in this area that caused huge security holes because
> they were NOT completely case sensitive.
> 
> If you still want non-case-sensitive Tomcat, well, you've got the source
> code ... but you are totally on your own.
> 
> 
>> Thanks;
>> -Chris
>> 
> 
> 
> Craig McClanahan

Naw, case sensitive Tomcat sounds like the wrong answer.  We want to 
work with any servlet host.  We'll fix our XSL.  Thanks again.

-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card     http://web.mediagate.com/chris.hull
iPost Voice    408 261 7201
email          chris.hull@mediagate.com

Re: pathTranslated and pathInfo... More unsafe paths

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Wed, 14 Mar 2001, christopher hull wrote:

> 
> Wow!  Thanks for the quick response.
> 
> The problem it turns out has nothing to do with spaces.  When 
> getResourceAsStream() can't find a resource, it displays a space just 
> after the root for convenience.  It turns out that getResourceAsStream
>   is case sensitive.  Is there a way to tell getResourceAsStream
>   not to be?
> 

Servlets are case sensitive.  Tomcat 3.1 and 3.2 (without the .1
updates) had problems in this area that caused huge security holes because
they were NOT completely case sensitive.

If you still want non-case-sensitive Tomcat, well, you've got the source
code ... but you are totally on your own.

> Thanks;
> -Chris
> 

Craig McClanahan

Re: pathTranslated and pathInfo... More unsafe paths

Posted by christopher hull <ch...@mediagate.com>.
Wow!  Thanks for the quick response.

The problem it turns out has nothing to do with spaces.  When 
getResourceAsStream() can't find a resource, it displays a space just 
after the root for convenience.  It turns out that getResourceAsStream
  is case sensitive.  Is there a way to tell getResourceAsStream
  not to be?

Thanks;
-Chris


Craig R. McClanahan wrote:

> 
> On Wed, 14 Mar 2001, christopher hull wrote:
> 
> 
>> But wait...
>> /WEB-INF/../../env.xml
>> is inside of
>> /WEB-INF/../env.xml
>> (see example below)
>> 
> 
> 
> When you start with a slash, that means you are resolving a URL relative
> to some "base".  The base that is used depends on the context you are
> using it in:
> 
> * For things like request dispatchers, and ServletContext.getResource(),
>   the base is the context root of your web application.
> 
> * For things sent to the browkser, like a hyperlink:
> 	<a href="/WEB-INF/../../env.xml">Click Me</a>
>   the link would be resolved (by the browser) against the server root
>   of your web server.
> 
> 
>> Do you have to specify all the sub-directories that a webapp uses?
>> 
>> Also, I've noticed an interesting and occasionsl unsafe path where a 
>> space is being introduced just before the path I supply to 
>> getResourceAsStream.
>> 
>> If I say servContext.getResourceAsStream("\path\foo.html");
> 
> 
> This is actually an invalid path.  URLs always use forward slashes, even
> if some browsers (and some servers) let you get away with backslashes.
> 
> 
>> I occasionally get an exception stating an unsafe path of...
>> w:\foo\bar\tomcat\webapps \path\foo.html
>> 
>> A space is being introduced just before the path I supply, but only 
>> sometimes.
>> 
> 
> 
> Are you absolutely positive that the webapps directory is named
> "webapps" and not "webapps " (with a trailing space)?
> 
> 
>> Is there a reliable way to get the document root?
> 
> 
> You can get the context root of your webapp by calling:
> 	String rootPath =
>           getServletContext().getRealPath("/");
> if you are running under a servlet container that runs from unpacked
> directories (like Tomcat 3.2.1 does).  If you are running under a servlet
> container that runs web apps directly from a WAR file, there is no such
> thng as the pathname of the context root, and the above call will return
> null.
> 
> 
>> PathTranslated and PathInfo don't work the way they used to.
>> 
> 
> 
> Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly.
> 
> 
>> Running Tomcat 3.2.1
>> 
>> -Chris
>> 
>> 
> 
> 
> Craig McClanahan


-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card     http://web.mediagate.com/chris.hull
iPost Voice    408 261 7201
email          chris.hull@mediagate.com

Re: pathTranslated and pathInfo... More unsafe paths

Posted by "Craig R. McClanahan" <cr...@apache.org>.

On Wed, 14 Mar 2001, christopher hull wrote:

> 
> But wait...
> /WEB-INF/../../env.xml
> is inside of
> /WEB-INF/../env.xml
> (see example below)
> 

When you start with a slash, that means you are resolving a URL relative
to some "base".  The base that is used depends on the context you are
using it in:

* For things like request dispatchers, and ServletContext.getResource(),
  the base is the context root of your web application.

* For things sent to the browkser, like a hyperlink:
	<a href="/WEB-INF/../../env.xml">Click Me</a>
  the link would be resolved (by the browser) against the server root
  of your web server.

> Do you have to specify all the sub-directories that a webapp uses?
> 
> Also, I've noticed an interesting and occasionsl unsafe path where a 
> space is being introduced just before the path I supply to 
> getResourceAsStream.
> 
> If I say servContext.getResourceAsStream("\path\foo.html");

This is actually an invalid path.  URLs always use forward slashes, even
if some browsers (and some servers) let you get away with backslashes.

> I occasionally get an exception stating an unsafe path of...
> w:\foo\bar\tomcat\webapps \path\foo.html
> 
> A space is being introduced just before the path I supply, but only 
> sometimes.
> 

Are you absolutely positive that the webapps directory is named
"webapps" and not "webapps " (with a trailing space)?

> Is there a reliable way to get the document root?

You can get the context root of your webapp by calling:
	String rootPath =
          getServletContext().getRealPath("/");
if you are running under a servlet container that runs from unpacked
directories (like Tomcat 3.2.1 does).  If you are running under a servlet
container that runs web apps directly from a WAR file, there is no such
thng as the pathname of the context root, and the above call will return
null.

> PathTranslated and PathInfo don't work the way they used to.
> 

Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly.

> Running Tomcat 3.2.1
> 
> -Chris
> 
> 

Craig McClanahan