You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2014/01/10 15:07:45 UTC
svn commit: r1557127 -
/tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
Author: markt
Date: Fri Jan 10 14:07:45 2014
New Revision: 1557127
URL: http://svn.apache.org/r1557127
Log:
More graceful handling (a 403 rather than a 500 response) when file permissions allow Tomcat to know a resource exists but not to read it
Modified:
tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
Modified: tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1557127&r1=1557126&r2=1557127&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Fri Jan 10 14:07:45 2014
@@ -724,6 +724,27 @@ public class DefaultServlet
return;
}
+ if (!resource.canRead()) {
+ // Check if we're included so we can return the appropriate
+ // missing resource name in the error
+ String requestUri = (String) request.getAttribute(
+ RequestDispatcher.INCLUDE_REQUEST_URI);
+ if (requestUri == null) {
+ requestUri = request.getRequestURI();
+ } else {
+ // We're included
+ // Spec doesn't say what to do in this case but a FNFE seems
+ // reasonable
+ throw new FileNotFoundException(
+ sm.getString("defaultServlet.missingResource",
+ requestUri));
+ }
+
+ response.sendError(HttpServletResponse.SC_FORBIDDEN,
+ requestUri);
+ return;
+ }
+
// If the resource is not a collection, and the resource path
// ends with "/" or "\", return NOT FOUND
if (resource.isFile()) {
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org