You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2013/11/15 16:04:53 UTC
svn commit: r1542284 -
/tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java
Author: markt
Date: Fri Nov 15 15:04:52 2013
New Revision: 1542284
URL: http://svn.apache.org/r1542284
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55776
Normalize resource requests before processing them.
Modified:
tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java
Modified: tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java?rev=1542284&r1=1542283&r2=1542284&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/StandardRoot.java Fri Nov 15 15:04:52 2013
@@ -39,6 +39,7 @@ import org.apache.catalina.WebResourceTr
import org.apache.catalina.util.LifecycleMBeanBase;
import org.apache.juli.logging.Log;
import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.http.RequestUtil;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -106,9 +107,9 @@ public class StandardRoot extends Lifecy
return list(path, true);
}
- private String[] list(String path, boolean doStateCheck) {
- if (doStateCheck) {
- checkState();
+ private String[] list(String path, boolean validate) {
+ if (validate) {
+ path = validate(path);
}
// Set because we don't want duplicates
@@ -132,7 +133,7 @@ public class StandardRoot extends Lifecy
@Override
public Set<String> listWebAppPaths(String path) {
- checkState();
+ path = validate(path);
// Set because we don't want duplicates
HashSet<String> result = new HashSet<>();
@@ -151,7 +152,7 @@ public class StandardRoot extends Lifecy
@Override
public boolean mkdir(String path) {
- checkState();
+ path = validate(path);
if (preResourceExists(path)) {
return false;
@@ -162,7 +163,7 @@ public class StandardRoot extends Lifecy
@Override
public boolean write(String path, InputStream is, boolean overwrite) {
- checkState();
+ path = validate(path);
if (!overwrite && preResourceExists(path)) {
return false;
@@ -186,10 +187,10 @@ public class StandardRoot extends Lifecy
return getResource(path, true, false);
}
- private WebResource getResource(String path, boolean doStateCheck,
+ private WebResource getResource(String path, boolean validate,
boolean useClassLoaderResources) {
- if (doStateCheck) {
- checkState();
+ if (validate) {
+ path = validate(path);
}
if (isCachingAllowed()) {
@@ -202,23 +203,35 @@ public class StandardRoot extends Lifecy
@Override
public WebResource getClassLoaderResource(String path) {
- checkPath(path);
return getResource("/WEB-INF/classes" + path, true, true);
}
@Override
public WebResource[] getClassLoaderResources(String path) {
- checkPath(path);
return getResources("/WEB-INF/classes" + path, true);
}
- private void checkPath(String path) {
+ /**
+ * Ensures that this object is in a valid state to serve resources, checks
+ * that the path is a String that starts with '/' and checks that the path
+ * can be normalized without stepping outside of the root.
+ *
+ * @param path
+ * @return the normlized path
+ */
+ private String validate(String path) {
+ if (!getState().isAvailable()) {
+ throw new IllegalStateException(
+ sm.getString("standardRoot.checkStateNotStarted"));
+ }
+
if (path == null || path.length() == 0 || !path.startsWith("/")) {
throw new IllegalArgumentException(
sm.getString("standardRoot.invalidPath", path));
}
+ return RequestUtil.normalize(path);
}
protected final WebResource getResourceInternal(String path,
@@ -255,7 +268,7 @@ public class StandardRoot extends Lifecy
private WebResource[] getResources(String path,
boolean useClassLoaderResources) {
- checkState();
+ path = validate(path);
ArrayList<WebResource> result = new ArrayList<>();
for (ArrayList<WebResourceSet> list : allResources) {
@@ -281,9 +294,9 @@ public class StandardRoot extends Lifecy
return listResources(path, true);
}
- private WebResource[] listResources(String path, boolean doStateCheck) {
- if (doStateCheck) {
- checkState();
+ private WebResource[] listResources(String path, boolean validate) {
+ if (validate) {
+ path = validate(path);
}
String[] resources = list(path, false);
@@ -465,13 +478,6 @@ public class StandardRoot extends Lifecy
this.context = context;
}
- private void checkState() {
- if (!getState().isAvailable()) {
- throw new IllegalStateException(
- sm.getString("standardRoot.checkStateNotStarted"));
- }
- }
-
/*
* Class loader resources are handled by treating JARs in WEB-INF/lib as
* resource JARs (without the internal META-INF/resources/ prefix) mounted
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org