You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Constantin Erckenbrecht <co...@gmail.com> on 2017/08/31 16:03:52 UTC

Apache 7.0.81 - Can no longer use non-canonical paths in extraResourcePaths of VirtualDirContext

Hi,



A change in 7.0.81/7.0.80 changed the File resolution in VirtualDirContext.

In 7.0.79 and before it was possible to use paths with /../ or any other
non-canonical path. This was particularly useful when using placeholders
that are being replaced at compile time like



extraResourcePaths="/=${project.basedir}/../some/other/dir”



The new calls to validate(File file, boolean mustExist, String
absoluteBase) prevent this, as inside the validate method the file name is
canocialized and compared against the absoluteBase path, which is not being
canonicalized.

Hence, when using a non-canonical path as an extraResourcePath the validate
function incorrectly assumes that the requested file is outside the
application root.



Any chance that this can be fixed?



Thanks.

Re: Apache 7.0.81 - Can no longer use non-canonical paths in extraResourcePaths of VirtualDirContext

Posted by Constantin Erckenbrecht <co...@gmail.com>.

Thanks for the prompt reply!

On Fri, Sep 1, 2017 at 2:12 PM, Mark Thomas <ma...@apache.org> wrote:

> On 31/08/17 17:03, Constantin Erckenbrecht wrote:
> > Hi,
> >
> > A change in 7.0.81/7.0.80 changed the File resolution in
> VirtualDirContext.
> >
> > In 7.0.79 and before it was possible to use paths with /../ or any other
> > non-canonical path. This was particularly useful when using placeholders
> > that are being replaced at compile time like
> >
> > extraResourcePaths="/=${project.basedir}/../some/other/dir”
> >
> > The new calls to validate(File file, boolean mustExist, String
> > absoluteBase) prevent this, as inside the validate method the file name
> is
> > canocialized and compared against the absoluteBase path, which is not
> being
> > canonicalized.
> >
> > Hence, when using a non-canonical path as an extraResourcePath the
> validate
> > function incorrectly assumes that the requested file is outside the
> > application root.
> >
> > Any chance that this can be fixed?
>
> Fixed in 7.0.x for 7.0.82 onwards.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>


-- 
Constantin Erckenbrecht

Re: Apache 7.0.81 - Can no longer use non-canonical paths in extraResourcePaths of VirtualDirContext

Posted by Mark Thomas <ma...@apache.org>.

On 31/08/17 17:03, Constantin Erckenbrecht wrote:
> Hi,
> 
> A change in 7.0.81/7.0.80 changed the File resolution in VirtualDirContext.
> 
> In 7.0.79 and before it was possible to use paths with /../ or any other
> non-canonical path. This was particularly useful when using placeholders
> that are being replaced at compile time like
> 
> extraResourcePaths="/=${project.basedir}/../some/other/dir”
> 
> The new calls to validate(File file, boolean mustExist, String
> absoluteBase) prevent this, as inside the validate method the file name is
> canocialized and compared against the absoluteBase path, which is not being
> canonicalized.
> 
> Hence, when using a non-canonical path as an extraResourcePath the validate
> function incorrectly assumes that the requested file is outside the
> application root.
> 
> Any chance that this can be fixed?

Fixed in 7.0.x for 7.0.82 onwards.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org