DO NOT REPLY [Bug 9772] New: - RequestDispatcher.forward(resource) does not perform necessary checks

Tue, 11 Jun 2002 06:03:34 -0700 

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG 
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9772>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND 
INSERTED IN THE BUG DATABASE.

http://nagoya.apache.org/bugzilla/show_bug.cgi?id=9772

RequestDispatcher.forward(resource) does not perform necessary checks

           Summary: RequestDispatcher.forward(resource) does not perform
                    necessary checks
           Product: Tomcat 3
           Version: 3.3 Final
          Platform: PC
        OS/Version: Other
            Status: NEW
          Severity: Normal
          Priority: Other
         Component: Servlet
        AssignedTo: [EMAIL PROTECTED]
        ReportedBy: [EMAIL PROTECTED]


The RequestDispatcher.forward(resource) does not perform necessary checks for 
the specified resource. Assuming a DispatcherServlet is used to forward a 
request following examples are executed without error:

http://localhost:8080/app/_dispatcher?_reqpage=/x/abc/QTAd123/anyStuff.html
BUG: the resource does not exist and error 404 should be generated in this 
case. Instead an "empty" page with following contents is returned:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=Content-Type content="text/html; charset=windows-1252"></HEAD>
<BODY></BODY></HTML>

http://localhost:8080/app/_dispatcher?_reqpage=/secure/
BUG: the resource is protected (and configured for formbased authentication), 
but no logon-JSP is prompted. Assuming that the removal of the last "/" results 
in a redirect I've tried it: the authentication becomes active again!
So http://localhost:8080/app/_dispatcher?_reqpage=/secure works where 
http://localhost:8080/app/_dispatcher?_reqpage=/secure/ and 
http://localhost:8080/app/_dispatcher?_reqpage=/secure/myFile.jsp do not prompt 
for a logon. Remember: the dispatcher performs a forward() in all cases.

Verifying: accesses without forward() to protected and existing resources works:
OK: http://localhost:8080/app/_dispatcher?_reqpage=/secure
OK: http://localhost:8080/app/secure/
OK: http://localhost:8080/app/secure/logoff.jsp

This clues are leading to the assumption that the forward() method does not 
check for security and presence of the requested resource.

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>

Reply via email to