You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by co...@locus.apache.org on 2000/03/07 22:00:52 UTC
cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/core Context.java
costin 00/03/07 13:00:52
Modified: src/share/org/apache/tomcat/core Context.java
Log:
Added extra check for getResource() - you can use it to access only resources
in the local context. That prevents .. abuse.
Note that a bad servlet can still use File access - this extra check might
catch some bugs and helps if you avoid using File ( which is a good idea for
portability ). In general - getRealPath and File is a bad idea, use it only
when you know what you're doing.
This check can be removed after a SecurityManager is installed.
Revision Changes Path
1.66 +20 -6 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
Index: Context.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
retrieving revision 1.65
retrieving revision 1.66
diff -u -r1.65 -r1.66
--- Context.java 2000/03/01 07:51:41 1.65
+++ Context.java 2000/03/07 21:00:50 1.66
@@ -659,12 +659,26 @@
if(mappedPath == null )
mappedPath=lr.getLookupPath();
- URL docBase = getDocumentBase();
-
- url=new URL(docBase.getProtocol(), docBase.getHost(),
- docBase.getPort(), docBase.getFile() + mappedPath);
- if( debug>9) log( "getResourceURL=" + url + " request=" + lr );
- return url;
+ URL documentBase = getDocumentBase();
+ try {
+ String contextHome=new File( docBase ).getCanonicalPath();
+ String realPath=contextHome + mappedPath;
+
+ // System.out.println("XXX " + realPath + " " + new File(realPath).getCanonicalPath() + " " + contextHome );
+ if( ! new File(realPath).getCanonicalPath().startsWith(contextHome) ) {
+ // no access to files in a different context.
+ // XXX needs a better design - it should be in an interceptor,
+ // in order to support non-file based repositories.
+ return null;
+ }
+ url=new URL(documentBase.getProtocol(), documentBase.getHost(),
+ documentBase.getPort(), realPath );
+ if( debug>9) log( "getResourceURL=" + url + " request=" + lr );
+ return url;
+ } catch( IOException ex ) {
+ ex.printStackTrace();
+ return null;
+ }
}