You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2002/02/27 20:16:16 UTC
cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core ApplicationContext.java
remm 02/02/27 11:16:16
Modified: catalina/src/share/org/apache/catalina/core
ApplicationContext.java
Log:
- Normalize RD paths, so that we prevent getting a RD for a path below the
context path.
Revision Changes Path
1.35 +41 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
Index: ApplicationContext.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/ApplicationContext.java,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- ApplicationContext.java 21 Dec 2001 21:15:45 -0000 1.34
+++ ApplicationContext.java 27 Feb 2002 19:16:16 -0000 1.35
@@ -1,7 +1,7 @@
/*
- * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/ApplicationContext.java,v 1.34 2001/12/21 21:15:45 craigmcc Exp $
- * $Revision: 1.34 $
- * $Date: 2001/12/21 21:15:45 $
+ * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/core/ApplicationContext.java,v 1.35 2002/02/27 19:16:16 remm Exp $
+ * $Revision: 1.35 $
+ * $Date: 2002/02/27 19:16:16 $
*
* ====================================================================
*
@@ -114,7 +114,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.34 $ $Date: 2001/12/21 21:15:45 $
+ * @version $Revision: 1.35 $ $Date: 2002/02/27 19:16:16 $
*/
public class ApplicationContext
@@ -570,6 +570,8 @@
if (!path.startsWith("/"))
throw new IllegalArgumentException
(sm.getString("applicationContext.requestDispatcher.iae", path));
+ if (normalize(path) == null)
+ return (null);
// Construct a "fake" request to be mapped by our Context
String contextPath = context.getPath();
@@ -998,6 +1000,41 @@
// -------------------------------------------------------- Private Methods
+
+
+ /**
+ * Return a context-relative path, beginning with a "/", that represents
+ * the canonical version of the specified path after ".." and "." elements
+ * are resolved out. If the specified path attempts to go outside the
+ * boundaries of the current context (i.e. too many ".." path elements
+ * are present), return <code>null</code> instead.
+ *
+ * @param path Path to be normalized
+ */
+ private String normalize(String path) {
+
+ String normalized = path;
+
+ // Normalize the slashes and add leading slash if necessary
+ if (normalized.indexOf('\\') >= 0)
+ normalized = normalized.replace('\\', '/');
+
+ // Resolve occurrences of "/../" in the normalized path
+ while (true) {
+ int index = normalized.indexOf("/../");
+ if (index < 0)
+ break;
+ if (index == 0)
+ return (null); // Trying to go outside our context
+ int index2 = normalized.lastIndexOf('/', index - 1);
+ normalized = normalized.substring(0, index2) +
+ normalized.substring(index + 3);
+ }
+
+ // Return the normalized path that we have completed
+ return (normalized);
+
+ }
/**
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>