marcsaeg 01/04/07 18:37:57
Modified: src/share/org/apache/tomcat/core Tag: tomcat_32 Context.java
src/share/org/apache/tomcat/facade Tag: tomcat_32
ServletContextFacade.java
src/share/org/apache/tomcat/util Tag: tomcat_32 URLUtil.java
Log:
One more time to address the double decode security hole.
Trying to detect the URLFileConnection bug turned out to be problematic so I've
decided for now to just disallow all resource names with URL escapes
in them. This certainly prevents the security hole but does preclude
some resources that with valid escapes in them. This will be noted as
a Tomcat limitation.
Thanks to Costin for the simplifying idea.
Revision Changes Path
No revision
No revision
1.100.2.7 +3 -6 jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java
Index: Context.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/core/Context.java,v
retrieving revision 1.100.2.6
retrieving revision 1.100.2.7
diff -u -r1.100.2.6 -r1.100.2.7
--- Context.java 2001/04/07 01:07:18 1.100.2.6
+++ Context.java 2001/04/08 01:37:57 1.100.2.7
@@ -169,8 +169,6 @@
Vector vhostAliases=new Vector();
FacadeManager facadeM;
- private boolean fileURLBug = URLUtil.hasFileURLBug(); // Saves a
synchronized method call for each request
-
public Context() {
defaultContainer=new Container();
defaultContainer.setContext( this );
@@ -753,6 +751,9 @@
public URL getResource(String rpath) throws MalformedURLException {
if (rpath == null) return null;
+ if(URLUtil.hasEscape(rpath))
+ return null;
+
URL url = null;
String absPath=getAbsolutePath();
@@ -769,10 +770,6 @@
}
try {
- if(!fileURLBug){
- realPath = URLEncoder.encode(realPath);
- }
- System.out.println("Context.getResource: realPath = " + realPath);
url=new URL("file", null, 0,realPath );
if( debug>9) log( "getResourceURL=" + url + " request=" + rpath );
return url;
No revision
No revision
1.3.2.3 +8 -0
jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/ServletContextFacade.java
Index: ServletContextFacade.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/facade/Attic/ServletContextFacade.java,v
retrieving revision 1.3.2.2
retrieving revision 1.3.2.3
diff -u -r1.3.2.2 -r1.3.2.3
--- ServletContextFacade.java 2000/11/18 00:09:44 1.3.2.2
+++ ServletContextFacade.java 2001/04/08 01:37:57 1.3.2.3
@@ -137,6 +137,12 @@
}
public InputStream getResourceAsStream(String path) {
+ if(path == null)
+ return null;
+
+ if(URLUtil.hasEscape(path))
+ return null;
+
InputStream is = null;
try {
URL url = getResource(path);
@@ -145,6 +151,8 @@
is = con.getInputStream();
} catch (MalformedURLException e) {
} catch (IOException e) {
+ } catch (NullPointerException e){
+ // probably because getResource() returned null
}
return is;
}
No revision
No revision
1.7.2.2 +17 -39
jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java
Index: URLUtil.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v
retrieving revision 1.7.2.1
retrieving revision 1.7.2.2
diff -u -r1.7.2.1 -r1.7.2.2
--- URLUtil.java 2001/04/07 01:07:19 1.7.2.1
+++ URLUtil.java 2001/04/08 01:37:57 1.7.2.2
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.1
2001/04/07 01:07:19 marcsaeg Exp $
- * $Revision: 1.7.2.1 $
- * $Date: 2001/04/07 01:07:19 $
+ * $Header:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/util/Attic/URLUtil.java,v 1.7.2.2
2001/04/08 01:37:57 marcsaeg Exp $
+ * $Revision: 1.7.2.2 $
+ * $Date: 2001/04/08 01:37:57 $
*
* ====================================================================
*
@@ -78,10 +78,6 @@
*/
public class URLUtil {
-
- private static boolean fileURLBug = false;
- private static boolean fileURLBugChecked = false;
-
public static URL resolve(String s)
throws MalformedURLException
{
@@ -189,42 +185,24 @@
return null;
}
- /*
- * There was a bug in versions of Suns Java runtime
- * in versions prior to 1.3.0 for file: URLs. In those version
- * URL encodings (%HH) were not decoded, in 1.3.0 and later
- * they are. For example, in 1.2.2, the URL file:%2e would try
- * try to open a file called %2e. In 1.3.0 and later it would
- * try to open the current directory (i.e. .).
- *
- * This extra URL decoding for file: URLs can open severe security
- * holes because it causes URLs to be decoded twice. For example,
- * a request URI containing sequences of /%252e%252e would get
- * interpreted as sequences of /.. and could escape the web application.
- *
- * The only way to determine if the current VM suffers from this bug
- * of not is to execute a URLConnection.getInputStream() on a file
- * URL
- *
- */
- public static synchronized boolean hasFileURLBug()
+ public static boolean hasEscape(String url)
{
- if(!fileURLBugChecked){
- fileURLBugChecked = true;
- fileURLBug = false;
+ boolean hasEscape = false;
+
+ int pctindex = -1;
+ int index = 0;
+ while((pctindex = url.indexOf('%', pctindex+1)) >= 0){
try{
- System.out.println("URLUtil.hasFileURLBug: user.dir = " +
System.getProperty("user.dir"));
- URL url = new URL("file:%2e");
- URLConnection con = url.openConnection();
- InputStream is = con.getInputStream();
- }catch(MalformedURLException e){
- }catch(FileNotFoundException e){
- fileURLBug = true;
- }catch(IOException e){
+ String escape = url.substring(pctindex+1, pctindex+3);
+ int code = Integer.parseInt(escape, 16);
+ hasEscape = true;
+ break;
+ }catch(IndexOutOfBoundsException e){
+ break;
+ }catch(NumberFormatException e){
}
}
- System.out.println("URLUtil.hasFileURLBug: " + fileURLBug);
- return fileURLBug;
+ return hasEscape;
}
}
