You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@turbine.apache.org by "Henning P. Schmiedehausen" <hp...@intermeta.de> on 2002/07/27 18:48:21 UTC

getRealPath Survey - please participate!

Hi,

to settle this argument, I actually went and got a bunch of servlet
engines besides the ones that I have readily available (I still can't
believe, that I sat through 155 MBytes of BEA WebLogic Download :-) I
shied away from Oracle 9iAS, though. 360 MBytes minimal install...)
and tested a demo servlet for various getRealPath() corner cases.

You can get the sources from

ftp://ftp.hometree.net/pub/webroottest/webroottest-1.0-dev.tar.gz

and you can get a readily deployable webroottest.war application from

ftp://ftp.hometree.net/pub/webroottest/webroottest.war

Please deploy this war

open <deployment_path>/webroottest in a browser,

and report the result with OS Version and Server version to me via
mail. I will compile a more comprehensive survey than the few that I
already have.

I'd especially like to see a few results on "the other platform"
(Windows) and with the Oracle iAS.

Ok, here are our winners:

========================================================================

Engine: Tomcat 4.0.4 standalone , RedHat Linux 6.2 (TDK style)

getRealPath("")    -> /webapps/webroottest
getRealPath("/")   -> /webapps/webroottest/
getRealPath(".")   -> /webapps/webroottest/.
getRealPath("..")  -> /webapps/webroottest/..

========================================================================

Engine: Tomcat 3.2.1, coupled with Apache 1.3.2x, RedHat Linux 6.2

getRealPath("")   -> /webapps/webroottest/
getRealPath("/")  -> /webapps/webroottest/
getRealPath(".")  -> /webapps/webroottest/.
getRealPath("..") -> null

Note: That is a cool idea for ".." 

========================================================================

Engine: Caucho Resin 2.1.3 standalone, RedHat Linux 7.3

getRealPath("")   -> /home/henning/java/resin-2.1.3/webapps/webroottest/
getRealPath("/")  -> /home/henning/java/resin-2.1.3/webapps/webroottest/
getRealPath(".")  -> /home/henning/java/resin-2.1.3/webapps/webroottest/
getRealPath("..") -> /home/henning/java/resin-2.1.3/doc/

Note: That is even cooler for ".."  ==:-) I wonder if there is an
exploit hidden somewhere. How about "../../webapps/something else..."

========================================================================

Engine: Sun ONE / iPlanet Webserver Enterprise 6.0SP2, RedHat Linux 7.3

getRealPath("")   -> null
getRealPath("/")  -> /webapps/webroottest
getRealPath(".")  -> /webapps/webroottest/.
getRealPath("..") -> /webapps/webroottest/..

Note: That is exactly what Stephane observed. 

========================================================================

Jetty 4.0.4, Redhat Linux 7.3

getRealPath("")   -> /tmp/Jetty__8080___webroottest/webapp
getRealPath("/")  -> /tmp/Jetty__8080___webroottest/webapp
getRealPath(".")  -> /tmp/Jetty__8080___webroottest/webapp
getRealPath("..") -> /tmp/Jetty__8080___webroottest/webapp

Note: Another idea for ".."

========================================================================

BEA WebLogic Application Server 7.0, RedHat Linux 7.3

getRealPath("")   -> null
getRealPath("/")  -> null
getRealPath(".")  -> null
getRealPath("..") -> null

Note: That one _really_ runs the app from the .war! Go baby!

========================================================================

Macromedia JRun 4, RedHat Linux 7.3

getRealPath("")   -> /home/henning/jrun/servers/demo/SERVER-INF/temp/webroottest.war/
getRealPath("/")  -> /home/henning/jrun/servers/demo/SERVER-INF/temp/webroottest.war/
getRealPath(".")  -> /home/henning/jrun/servers/demo/SERVER-INF/temp/webroottest.war/
getRealPath("..") -> /home/henning/jrun/servers/demo/SERVER-INF/temp/webroottest.war/..

========================================================================

Seven engines, seven different results (!) and even the two tested
Tomcat versions differ in their results (trailing slashes, ".."
behaviour) . Can anyone spell standard again here?

Did anyone ever tried Turbine with WebLogic? I wonder if it works.

	Regards
		Henning




-- 
Dipl.-Inf. (Univ.) Henning P. Schmiedehausen       -- Geschaeftsfuehrer
INTERMETA - Gesellschaft fuer Mehrwertdienste mbH     hps@intermeta.de

Am Schwabachgrund 22  Fon.: 09131 / 50654-0   info@intermeta.de
D-91054 Buckenhof     Fax.: 09131 / 50654-20   

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: getRealPath Survey - please participate!

Posted by Daniel Rall <dl...@finemaltcoding.com>.

Daniel Rall <dl...@finemaltcoding.com> writes:

> Henning's tests clearly demonstrate the need for configurable handling
> of calls to getRealPath() within Turbine.

Or even better, elmination of most uses of getRealPath() in favor
getResourceAsStream() (allowing Turbine to run from a packed WAR).
-- 

Daniel Rall <dl...@finemaltcoding.com>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>

Re: getRealPath Survey - please participate!

Posted by Daniel Rall <dl...@finemaltcoding.com>.

Henning's tests clearly demonstrate the need for configurable handling
of calls to getRealPath() within Turbine.
-- 

Daniel Rall <dl...@finemaltcoding.com>

--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>