You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@locus.apache.org on 2000/03/07 22:00:52 UTC

cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core Context.java

costin      00/03/07 13:00:52

  Modified:    src/share/org/apache/tomcat/core Context.java
  Log:
  Added extra check for getResource() - you can use it to access only resources
  in the local context. That prevents .. abuse.
  
  Note that a bad servlet can still use File access - this extra check might
  catch some bugs and helps if you avoid using File ( which is a good idea for
  portability ). In general - getRealPath and File is a bad idea, use it only
  when you know what you're doing.
  
  This check can be removed after a SecurityManager is installed.
  
  Revision  Changes    Path
  1.66      +20 -6     jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
  
  Index: Context.java
  ===================================================================
  RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
  retrieving revision 1.65
  retrieving revision 1.66
  diff -u -r1.65 -r1.66
  --- Context.java	2000/03/01 07:51:41	1.65
  +++ Context.java	2000/03/07 21:00:50	1.66
  @@ -659,12 +659,26 @@
   	if(mappedPath == null )
   	    mappedPath=lr.getLookupPath();
   
  -        URL docBase = getDocumentBase();
  -
  -	url=new URL(docBase.getProtocol(), docBase.getHost(),
  -		       docBase.getPort(), docBase.getFile() + mappedPath);
  -	if( debug>9) log( "getResourceURL=" + url + " request=" + lr );
  -	return url;
  +        URL documentBase = getDocumentBase();
  +	try {
  +	    String contextHome=new File( docBase ).getCanonicalPath();
  +	    String realPath=contextHome + mappedPath;
  +	    
  +	    //   System.out.println("XXX " + realPath + " " + new File(realPath).getCanonicalPath() + " "  + contextHome );
  +	    if( ! new File(realPath).getCanonicalPath().startsWith(contextHome) ) {
  +		// no access to files in a different context.
  +		// XXX needs a better design - it should be in an interceptor,
  +		// in order to support non-file based repositories.
  +		return null;
  +	    }
  +	    url=new URL(documentBase.getProtocol(), documentBase.getHost(),
  +			documentBase.getPort(), realPath );
  +	    if( debug>9) log( "getResourceURL=" + url + " request=" + lr );
  +	    return url;
  +	} catch( IOException ex ) {
  +	    ex.printStackTrace();
  +	    return null;
  +	}
       }