craigmcc 00/11/30 19:00:41
Modified: src/doc Tag: tomcat_32 readme
src/share/org/apache/tomcat/request Tag: tomcat_32
SimpleMapper1.java
Log:
Fix a potential security problem in Tomcat 3.2.
The servlet specification prohibits servlet containers from serving
"files" in the WEB-INF directory of a web application. Tomcat 3.2
currently enforces this restriction on static resources (like
/WEB-INF/web.xml),but allowed access to JSP pages stored there
(/WEB-INF/index.jsp). This access is no longer allowed.
Submitted by: David Aiken <[EMAIL PROTECTED]>
Revision Changes Path
No revision
No revision
1.8.2.9 +10 -46 jakarta-tomcat/src/doc/readme
Index: readme
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/doc/readme,v
retrieving revision 1.8.2.8
retrieving revision 1.8.2.9
diff -u -r1.8.2.8 -r1.8.2.9
--- readme 2000/11/27 23:36:45 1.8.2.8
+++ readme 2000/12/01 03:00:28 1.8.2.9
@@ -1,9 +1,9 @@
-$Id: readme,v 1.8.2.8 2000/11/27 23:36:45 craigmcc Exp $
+$Id: readme,v 1.8.2.9 2000/12/01 03:00:28 craigmcc Exp $
- Release Notes for:
- ==================
- TOMCAT Version 3.2
- ==================
+ Release Notes for:
+ ====================
+ TOMCAT Version 3.2.1
+ ====================
0. TABLE OF CONTENTS:
@@ -78,48 +78,12 @@
=============================================================================
5. NEW FEATURES IN THIS RELEASE
-Tomcat 3.2 is mainly a performance tune-up release, although a few new
-features have been added.
+Tomcat 3.2.1 is a maintenance and bug fix release, based on the Tomcat 3.2
+(final) code base. The following changes are included:
-- Support for mod_jk, which is a replacement to the elderly mod_jserv, has
- had several bugs fixed and has received much more testing. It is now
- recommended that all users use mod_jk instead of mod_jserv.
-
-- Support JAXP-based XML parser independence.
-
-- New and often requested "how-to" documents covering the following topics:
- - Configuring workers.properties
- - IIS and Netscape configuration
- - Running tomcat inside an IIS or Netscape process
- - Running Tomcat as a Windows NT service
- - Configuring a JDBC realm
- - Configuring mod_jk
-
-- First round of policy-based security support intended for running untrusted
- code inside of Tomcat. Interested users should test this support and post
- feedback to the Tomcat users mailing list.
-
-- SSL support for standalone Tomcat. (Preliminary support first appeared in
- 3.1, but the support in 3.2 has received more testing and documentation
- support.
-
-- Thread reuse is now enabled by default. The thread pool support code was part
- of 3.1, but not enabled since it was new.
-
-- Support for plug-able session managers. Unfortunately, no how-to documents
- that support this functionality exist (yet). For the adventurous, be aware
- that the interface that allows administrators to plug session managers is
- the normal Interceptor interface.
-
-- An almost total rewrite of the HTTP request handling now results in improved
- performance when running Tomcat stand-alone.
-
-- Significantly reduced garbage collection.
-
-- The code has undergone a refactoring effort resulting in (we hope) improved
- readability.
-
-- And of course, hundreds of miscellaneous improvements and fixes.
+- Disallowed requesting JSP pages under the WEB-INF directory
+ (/WEB-INF/dummy.jsp). Previously, only requests for static files
+ were being disallowed.
=============================================================================
No revision
No revision
1.15.2.3 +18 -0
jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java
Index: SimpleMapper1.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java,v
retrieving revision 1.15.2.2
retrieving revision 1.15.2.3
diff -u -r1.15.2.2 -r1.15.2.3
--- SimpleMapper1.java 2000/08/25 17:50:30 1.15.2.2
+++ SimpleMapper1.java 2000/12/01 03:00:41 1.15.2.3
@@ -329,6 +329,24 @@
// is _allways_ called after contextMap ( it was asserted in all
// implementations).
+ // Security check -- disallow any access under WEB-INF or META-INF
+ String contextPath = null;
+ Context context = req.getContext();
+ if (context != null)
+ contextPath = context.getPath();
+ if (contextPath == null)
+ contextPath = "";
+ String requestURI = req.getRequestURI();
+ if (requestURI == null)
+ requestURI = "";
+ String relativePath =
+ requestURI.substring(contextPath.length()).toUpperCase();
+ if (relativePath.equals("/META-INF") ||
+ relativePath.equals("/WEB-INF") ||
+ relativePath.startsWith("/META-INF/") ||
+ relativePath.startsWith("/WEB-INF/"))
+ return 404;
+
return OK;
}
