DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=6772 [Security] RequestDipatcher allows to bypass security manager sandboxing Summary: [Security] RequestDipatcher allows to bypass security manager sandboxing Product: Tomcat 4 Version: 4.0.2 Final Platform: All OS/Version: All Status: NEW Severity: Blocker Priority: Other Component: Catalina AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] Using a request dipatcher with a relative URL (incuding '/../') allows a servlet or JSP to access files on the server filesystem, bypassing the protection the security manager provides. >From the original report: The problem is this: with a more-or-less default installation of Tomcat using the security manager, in a jsp:include you can access outside of your context using ../../../ . Note that in other forms of reading the files, the security manager correctly prohibits access (both in a jsp:include giving the real path, and in standard programmatic file opening with real and ../ paths). It's just in the case of the include with relative path that it allows access to others' files. Here's a sample line of a jsp that should generate an error, but doesn't. The contexts are foo1/ and foo2/, they are defined in separate context tags. This line is from a file in foo1/. <jsp:include page="../../../foo2/jsp/include/junk.txt"/> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
