Remy Maucherat wrote:
> Henri Gomez wrote:
>
>>> This is likely the protection against reading anything outside the
>>> webapp root (see the "allowLinking" of FileDirContext), although I
>>> don't know how the digester will try to load the included file.
>>
>>
>>
>> Digester code is derived from XmlMapper which is able to locate
>> entities in ../../../ directories.
>>
>> My concern here is :
>>
>> Specs didn't mentions restriction on use of external entities outside
>> the webapp.
>>
>> So it should be granted by default isn't it ?
>>
>> I take a look at FileDirContext but I didn't understand what
>> allowLinking is ?
>
> >
>
>> So my question is : bug or feature ?
>
>
> There's a pretty strict check on the canonical path of a resource which
> I added.
> I consider it a security feature. I think a webapp should be self
> contained, so I think it's reasonable to have the check as the default.
>
> "allowLinking" disables the check.
>
> Don't be lazy, just do a search in FileDirContext ;-)
I take a look at this but but digester didn't use FileDirContext so the
allowLinking didn't fit.
The problem seems be only in Digester which fail to load
../../../settings.xml
What could we do ?
PS: I tried with TC 4.1.x and all commons from CVS.
at
org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
at java.net.URL.openStream(URL.java:793)
at
org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807)
at
org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738)
at
org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609)
at
org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927)
at
org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889)
at
org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359)
at
org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808)
at
org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
at
org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
at
org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175)
at org.apache.commons.digester.Digester.parse(Digester.java:1542)
at
org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282)
at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
at
org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243)
at
org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
at
org.apache.catalina.core.StandardContext.start(StandardContext.java:3567)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
at org.apache.catalina.core.StandardService.start(StandardService.java:497)
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
