You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Constantin Erckenbrecht <co...@gmail.com> on 2017/08/31 16:03:52 UTC
Apache 7.0.81 - Can no longer use non-canonical paths in
extraResourcePaths of VirtualDirContext
Hi,
A change in 7.0.81/7.0.80 changed the File resolution in VirtualDirContext.
In 7.0.79 and before it was possible to use paths with /../ or any other
non-canonical path. This was particularly useful when using placeholders
that are being replaced at compile time like
extraResourcePaths="/=${project.basedir}/../some/other/dir”
The new calls to validate(File file, boolean mustExist, String
absoluteBase) prevent this, as inside the validate method the file name is
canocialized and compared against the absoluteBase path, which is not being
canonicalized.
Hence, when using a non-canonical path as an extraResourcePath the validate
function incorrectly assumes that the requested file is outside the
application root.
Any chance that this can be fixed?
Thanks.
Re: Apache 7.0.81 - Can no longer use non-canonical paths in
extraResourcePaths of VirtualDirContext
Posted by Constantin Erckenbrecht <co...@gmail.com>.
Thanks for the prompt reply!
On Fri, Sep 1, 2017 at 2:12 PM, Mark Thomas <ma...@apache.org> wrote:
> On 31/08/17 17:03, Constantin Erckenbrecht wrote:
> > Hi,
> >
> > A change in 7.0.81/7.0.80 changed the File resolution in
> VirtualDirContext.
> >
> > In 7.0.79 and before it was possible to use paths with /../ or any other
> > non-canonical path. This was particularly useful when using placeholders
> > that are being replaced at compile time like
> >
> > extraResourcePaths="/=${project.basedir}/../some/other/dir”
> >
> > The new calls to validate(File file, boolean mustExist, String
> > absoluteBase) prevent this, as inside the validate method the file name
> is
> > canocialized and compared against the absoluteBase path, which is not
> being
> > canonicalized.
> >
> > Hence, when using a non-canonical path as an extraResourcePath the
> validate
> > function incorrectly assumes that the requested file is outside the
> > application root.
> >
> > Any chance that this can be fixed?
>
> Fixed in 7.0.x for 7.0.82 onwards.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>
--
Constantin Erckenbrecht
Re: Apache 7.0.81 - Can no longer use non-canonical paths in
extraResourcePaths of VirtualDirContext
Posted by Mark Thomas <ma...@apache.org>.
On 31/08/17 17:03, Constantin Erckenbrecht wrote:
> Hi,
>
> A change in 7.0.81/7.0.80 changed the File resolution in VirtualDirContext.
>
> In 7.0.79 and before it was possible to use paths with /../ or any other
> non-canonical path. This was particularly useful when using placeholders
> that are being replaced at compile time like
>
> extraResourcePaths="/=${project.basedir}/../some/other/dir”
>
> The new calls to validate(File file, boolean mustExist, String
> absoluteBase) prevent this, as inside the validate method the file name is
> canocialized and compared against the absoluteBase path, which is not being
> canonicalized.
>
> Hence, when using a non-canonical path as an extraResourcePath the validate
> function incorrectly assumes that the requested file is outside the
> application root.
>
> Any chance that this can be fixed?
Fixed in 7.0.x for 7.0.82 onwards.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org