You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2011/01/08 19:56:57 UTC
svn commit: r1056763 - in /tomcat/tc6.0.x/trunk: ./ STATUS.txt
java/org/apache/catalina/servlets/DefaultServlet.java
java/org/apache/catalina/servlets/WebdavServlet.java
webapps/docs/changelog.xml
Author: markt
Date: Sat Jan 8 18:56:57 2011
New Revision: 1056763
URL: http://svn.apache.org/viewvc?rev=1056763&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
Force DefaultServlet to serve all resources relative to context root regardless of mappings/mount point.
Prevents access to WEB-INF and META-INF when the default servlet is mapped to a sub-path. Also fixes WebdavServlet, which is affected for GET requests.
This is a breaking change for anyone re-mapping DefaultServlet to a sub-path (current behaviour is to remount the entire web application under the path, which exposes WEB-INF/META-INF).
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Sat Jan 8 18:56:57 2011
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004868-1004869,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1037715,1037794,1037887,1037924,1038041,1044987,1055055,1055458
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,961948,962865,962872,962881,962900,963106,963865,963868,964614,966177-966178,966292,966692,966863,981815,988448,991837,993042,1001955,1002185,1002263,1002274,1002349,1002359,1002362,1002481,1002514,1003461,1003481,1003488,1003556,1003572,1003581,1003861,1004393,1004409,1004415,1004868-1004869,1004912,1005452,1005467,1005647,1005802,1022120,1022134,1022323,1022415,1022606,1022623,1024224,1024251,1026042,1026784,1026912,1026920,1029767,1033415,1033448,1033842,1033897,1037715,1037794,1037887,1037924,1038041,1044987,1055055,1055458
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Sat Jan 8 18:56:57 2011
@@ -61,24 +61,6 @@ PATCHES PROPOSED TO BACKPORT:
cause confusion. I'd prefer not to invent a new name, but mention the
one that we already have when documenting virtualClasspath.
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=50026
- Force DefaultServlet to serve all resources relative to context root
- regardless of mappings/mount point.
- Prevents access to WEB-INF and META-INF when the default servlet is
- mapped to a sub-path. Also fixes WebdavServlet, which is affected for GET
- requests.
- This is a breaking change for anyone re-mapping DefaultServlet to a sub-path
- (current behaviour is to remount the entire web application under the path,
- which exposes WEB-INF/META-INF).
- http://svn.apache.org/viewvc?rev=1004393&view=rev
- http://svn.apache.org/viewvc?rev=1004409&view=rev
- http://svn.apache.org/viewvc?rev=1004415&view=rev
- http://svn.apache.org/viewvc?rev=1004912&view=rev (fix for includes)
- +1: timw
- +1: markt, kkolinko,funkman if http://svn.apache.org/viewvc?rev=1033897&view=rev
- is also applied
- -1:
-
* Fix path parameter handling. Currently the following URL fails with a 404:
http://localhost:8080/examples/jsp/snp;x=y/snoop.jsp
http://people.apache.org/~kkolinko/patches/2010-11-17_tc6_path-params.patch
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Sat Jan 8 18:56:57 2011
@@ -68,9 +68,44 @@ import org.apache.naming.resources.Resou
/**
- * The default resource-serving servlet for most web applications,
+ * <p>The default resource-serving servlet for most web applications,
* used to serve static resources such as HTML pages and images.
- *
+ * </p>
+ * <p>
+ * This servlet is intended to be mapped to <em>/</em> e.g.:
+ * </p>
+ * <pre>
+ * <servlet-mapping>
+ * <servlet-name>default</servlet-name>
+ * <url-pattern>/</url-pattern>
+ * </servlet-mapping>
+ * </pre>
+ * <p>It can be mapped to sub-paths, however in all cases resources are served
+ * from the web appplication resource root using the full path from the root
+ * of the web application context.
+ * <br/>e.g. given a web application structure:
+ *</p>
+ * <pre>
+ * /context
+ * /images
+ * tomcat2.jpg
+ * /static
+ * /images
+ * tomcat.jpg
+ * </pre>
+ * <p>
+ * ... and a servlet mapping that maps only <code>/static/*</code> to the default servlet:
+ * </p>
+ * <pre>
+ * <servlet-mapping>
+ * <servlet-name>default</servlet-name>
+ * <url-pattern>/static/*</url-pattern>
+ * </servlet-mapping>
+ * </pre>
+ * <p>
+ * Then a request to <code>/context/static/images/tomcat.jpg</code> will succeed
+ * while a request to <code>/context/images/tomcat2.jpg</code> will fail.
+ * </p>
* @author Craig R. McClanahan
* @author Remy Maucherat
* @version $Id$
@@ -296,16 +331,26 @@ public class DefaultServlet
* @param request The servlet request we are processing
*/
protected String getRelativePath(HttpServletRequest request) {
+ // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
+ // serves resources from the web app root with context rooted paths.
+ // i.e. it can not be used to mount the web app root under a sub-path
+ // This method must construct a complete context rooted path, although
+ // subclasses can change this behaviour.
// Are we being processed by a RequestDispatcher.include()?
if (request.getAttribute(Globals.INCLUDE_REQUEST_URI_ATTR) != null) {
String result = (String) request.getAttribute(
Globals.INCLUDE_PATH_INFO_ATTR);
- if (result == null)
+ if (result == null) {
result = (String) request.getAttribute(
Globals.INCLUDE_SERVLET_PATH_ATTR);
- if ((result == null) || (result.equals("")))
+ } else {
+ result = (String) request.getAttribute(
+ Globals.INCLUDE_SERVLET_PATH_ATTR) + result;
+ }
+ if ((result == null) || (result.equals(""))) {
result = "/";
+ }
return (result);
}
@@ -313,6 +358,8 @@ public class DefaultServlet
String result = request.getPathInfo();
if (result == null) {
result = request.getServletPath();
+ } else {
+ result = request.getServletPath() + result;
}
if ((result == null) || (result.equals(""))) {
result = "/";
@@ -323,6 +370,18 @@ public class DefaultServlet
/**
+ * Determines the appropriate path to prepend resources with
+ * when generating directory listings. Depending on the behaviour of
+ * {@link #getRelativePath(HttpServletRequest)} this will change.
+ * @param request the request to determine the path for
+ * @return the prefix to apply to all resources in the listing.
+ */
+ protected String getPathPrefix(final HttpServletRequest request) {
+ return request.getContextPath();
+ }
+
+
+ /**
* Process a GET request for the specified resource.
*
* @param request The servlet request we are processing
@@ -833,8 +892,7 @@ public class DefaultServlet
if (content) {
// Serve the directory browser
- renderResult =
- render(request.getContextPath(), cacheEntry);
+ renderResult = render(getPathPrefix(request), cacheEntry);
}
}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java Sat Jan 8 18:56:57 2011
@@ -30,6 +30,7 @@ import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Enumeration;
import java.util.Hashtable;
+import java.util.Locale;
import java.util.Stack;
import java.util.TimeZone;
import java.util.Vector;
@@ -70,45 +71,58 @@ import org.xml.sax.SAXException;
* Servlet which adds support for WebDAV level 2. All the basic HTTP requests
* are handled by the DefaultServlet. The WebDAVServlet must not be used as the
* default servlet (ie mapped to '/') as it will not work in this configuration.
- * To enable WebDAV for a context add the following to web.xml:<br/><code>
- * <servlet><br/>
- * <servlet-name>webdav</servlet-name><br/>
- * <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class><br/>
- * <init-param><br/>
- * <param-name>debug</param-name><br/>
- * <param-value>0</param-value><br/>
- * </init-param><br/>
- * <init-param><br/>
- * <param-name>listings</param-name><br/>
- * <param-value>true</param-value><br/>
- * </init-param><br/>
- * </servlet><br/>
- * <servlet-mapping><br/>
- * <servlet-name>webdav</servlet-name><br/>
- * <url-pattern>/*</url-pattern><br/>
- * </servlet-mapping>
- * </code>
* <p/>
- * This will enable read only access. To enable read-write access add:<br/>
- * <code>
- * <init-param><br/>
- * <param-name>readonly</param-name><br/>
- * <param-value>false</param-value><br/>
- * </init-param><br/>
- * </code>
+ * Mapping a subpath (e.g. <code>/webdav/*</code> to this servlet has the effect
+ * of re-mounting the entire web application under that sub-path, with WebDAV
+ * access to all the resources. This <code>WEB-INF</code> and <code>META-INF</code>
+ * directories are protected in this re-mounted resource tree.
* <p/>
- * To make the content editable via a different URL, using the following
- * mapping:<br/>
- * <code>
- * <servlet-mapping><br/>
- * <servlet-name>webdav</servlet-name><br/>
- * <url-pattern>/webdavedit/*</url-pattern><br/>
+ * To enable WebDAV for a context add the following to web.xml:
+ * <pre>
+ * <servlet>
+ * <servlet-name>webdav</servlet-name>
+ * <servlet-class>org.apache.catalina.servlets.WebdavServlet</servlet-class>
+ * <init-param>
+ * <param-name>debug</param-name>
+ * <param-value>0</param-value>
+ * </init-param>
+ * <init-param>
+ * <param-name>listings</param-name>
+ * <param-value>false</param-value>
+ * </init-param>
+ * </servlet>
+ * <servlet-mapping>
+ * <servlet-name>webdav</servlet-name>
+ * <url-pattern>/*</url-pattern>
* </servlet-mapping>
- * </code>
- * <p/>
- * Don't forget to secure access appropriately to the editing URLs. With this
- * configuration the context will be accessible to normal users as before. Those
- * users with the necessary access will be able to edit content available via
+ * </pre>
+ * This will enable read only access. To enable read-write access add:
+ * <pre>
+ * <init-param>
+ * <param-name>readonly</param-name>
+ * <param-value>false</param-value>
+ * </init-param>
+ * </pre>
+ * To make the content editable via a different URL, use the following
+ * mapping:
+ * <pre>
+ * <servlet-mapping>
+ * <servlet-name>webdav</servlet-name>
+ * <url-pattern>/webdavedit/*</url-pattern>
+ * </servlet-mapping>
+ * </pre>
+ * By default access to /WEB-INF and META-INF are not available via WebDAV. To
+ * enable access to these URLs, use add:
+ * <pre>
+ * <init-param>
+ * <param-name>allowSpecialPaths</param-name>
+ * <param-value>true</param-value>
+ * </init-param>
+ * </pre>
+ * Don't forget to secure access appropriately to the editing URLs, especially
+ * if allowSpecialPaths is used. With the mapping configuration above, the
+ * context will be accessible to normal users as before. Those users with the
+ * necessary access will be able to edit content available via
* http://host:port/context/content using
* http://host:port/context/webdavedit/content
*
@@ -253,6 +267,13 @@ public class WebdavServlet
private int maxDepth = 3;
+ /**
+ * Is access allowed via WebDAV to the special paths (/WEB-INF and
+ * /META-INF)?
+ */
+ private boolean allowSpecialPaths = false;
+
+
// --------------------------------------------------------- Public Methods
@@ -271,6 +292,10 @@ public class WebdavServlet
maxDepth = Integer.parseInt(
getServletConfig().getInitParameter("maxDepth"));
+ if (getServletConfig().getInitParameter("allowSpecialPaths") != null)
+ allowSpecialPaths = Boolean.parseBoolean(
+ getServletConfig().getInitParameter("allowSpecialPaths"));
+
// Load the MD5 helper used to calculate signatures.
try {
md5Helper = MessageDigest.getInstance("MD5");
@@ -312,10 +337,21 @@ public class WebdavServlet
protected void service(HttpServletRequest req, HttpServletResponse resp)
throws ServletException, IOException {
- String method = req.getMethod();
+ final String path = getRelativePath(req);
+
+ // Block access to special subdirectories.
+ // DefaultServlet assumes it services resources from the root of the web app
+ // and doesn't add any special path protection
+ // WebdavServlet remounts the webapp under a new path, so this check is
+ // necessary on all methods (including GET).
+ if (isSpecialPath(path)) {
+ resp.sendError(WebdavStatus.SC_NOT_FOUND);
+ return;
+ }
+
+ final String method = req.getMethod();
if (debug > 0) {
- String path = getRelativePath(req);
log("[" + method + "] " + path);
}
@@ -342,6 +378,19 @@ public class WebdavServlet
/**
+ * Checks whether a given path refers to a resource under
+ * <code>WEB-INF</code> or <code>META-INF</code>.
+ * @param path the full path of the resource being accessed
+ * @return <code>true</code> if the resource specified is under a special path
+ */
+ private final boolean isSpecialPath(final String path) {
+ return !allowSpecialPaths && (
+ path.toUpperCase(Locale.ENGLISH).startsWith("/WEB-INF") ||
+ path.toUpperCase(Locale.ENGLISH).startsWith("/META-INF"));
+ }
+
+
+ /**
* Check if the conditions specified in the optional If headers are
* satisfied.
*
@@ -395,6 +444,20 @@ public class WebdavServlet
/**
+ * Determines the prefix for standard directory GET listings.
+ */
+ @Override
+ protected String getPathPrefix(final HttpServletRequest request) {
+ // Repeat the servlet path (e.g. /webdav/) in the listing path
+ String contextPath = request.getContextPath();
+ if (request.getServletPath() != null) {
+ contextPath = contextPath + request.getServletPath();
+ }
+ return contextPath;
+ }
+
+
+ /**
* OPTIONS Method.
*
* @param req The request
@@ -436,12 +499,6 @@ public class WebdavServlet
if (path.endsWith("/"))
path = path.substring(0, path.length() - 1);
- if ((path.toUpperCase().startsWith("/WEB-INF")) ||
- (path.toUpperCase().startsWith("/META-INF"))) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return;
- }
-
// Properties which are to be displayed.
Vector<String> properties = null;
// Propfind depth
@@ -708,12 +765,6 @@ public class WebdavServlet
String path = getRelativePath(req);
- if ((path.toUpperCase().startsWith("/WEB-INF")) ||
- (path.toUpperCase().startsWith("/META-INF"))) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return;
- }
-
boolean exists = true;
Object object = null;
try {
@@ -1580,20 +1631,14 @@ public class WebdavServlet
if (debug > 0)
log("Dest path :" + destinationPath);
- if ((destinationPath.toUpperCase().startsWith("/WEB-INF")) ||
- (destinationPath.toUpperCase().startsWith("/META-INF"))) {
+ // Check destination path to protect special sub-directories
+ if (isSpecialPath(destinationPath)) {
resp.sendError(WebdavStatus.SC_FORBIDDEN);
return false;
}
String path = getRelativePath(req);
- if ((path.toUpperCase().startsWith("/WEB-INF")) ||
- (path.toUpperCase().startsWith("/META-INF"))) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return false;
- }
-
if (destinationPath.equals(path)) {
resp.sendError(WebdavStatus.SC_FORBIDDEN);
return false;
@@ -1787,12 +1832,6 @@ public class WebdavServlet
HttpServletResponse resp, boolean setStatus)
throws ServletException, IOException {
- if ((path.toUpperCase().startsWith("/WEB-INF")) ||
- (path.toUpperCase().startsWith("/META-INF"))) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return false;
- }
-
String ifHeader = req.getHeader("If");
if (ifHeader == null)
ifHeader = "";
@@ -1872,8 +1911,8 @@ public class WebdavServlet
if (debug > 1)
log("Delete:" + path);
- if ((path.toUpperCase().startsWith("/WEB-INF")) ||
- (path.toUpperCase().startsWith("/META-INF"))) {
+ // Prevent deletion of special sub-directories
+ if (isSpecialPath(path)) {
errorList.put(path, new Integer(WebdavStatus.SC_FORBIDDEN));
return;
}
@@ -2009,9 +2048,7 @@ public class WebdavServlet
Vector<String> propertiesVector) {
// Exclude any resource in the /WEB-INF and /META-INF subdirectories
- // (the "toUpperCase()" avoids problems on Windows systems)
- if (path.toUpperCase().startsWith("/WEB-INF") ||
- path.toUpperCase().startsWith("/META-INF"))
+ if (isSpecialPath(path))
return;
CacheEntry cacheEntry = resources.lookupCache(path);
@@ -2296,9 +2333,7 @@ public class WebdavServlet
Vector propertiesVector) {
// Exclude any resource in the /WEB-INF and /META-INF subdirectories
- // (the "toUpperCase()" avoids problems on Windows systems)
- if (path.toUpperCase().startsWith("/WEB-INF") ||
- path.toUpperCase().startsWith("/META-INF"))
+ if (isSpecialPath(path))
return;
// Retrieving the lock associated with the lock-null resource
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=1056763&r1=1056762&r2=1056763&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Sat Jan 8 18:56:57 2011
@@ -153,6 +153,10 @@
Add security policy and token poller protection to the JRE memory leak
protection provided in Tomcat 6. (markt/kkolinko)
</add>
+ <add>
+ <bug>50026</bug>: Add support for mapping the default servlet to URLs
+ other than /. (timw)
+ </add>
<fix>
<bug>50128</bug>: Improve exception handling in PersistentManagerBase
when running with a security manager. (kkolinko)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org