On Wed, 9 Oct 2002, Henri Gomez wrote:
> Date: Wed, 09 Oct 2002 17:39:00 +0200
> From: Henri Gomez <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: apps conversion from 3.3.1 to 4.1.12
>
> Remy Maucherat wrote:
> > Henri Gomez wrote:
> >
> >>> This is likely the protection against reading anything outside the
> >>> webapp root (see the "allowLinking" of FileDirContext), although I
> >>> don't know how the digester will try to load the included file.
> >>
> >>
> >>
> >> Digester code is derived from XmlMapper which is able to locate
> >> entities in ../../../ directories.
> >>
> >> My concern here is :
> >>
> >> Specs didn't mentions restriction on use of external entities outside
> >> the webapp.
> >>
> >> So it should be granted by default isn't it ?
> >>
> >> I take a look at FileDirContext but I didn't understand what
> >> allowLinking is ?
> >
> > >
> >
> >> So my question is : bug or feature ?
> >
> >
> > There's a pretty strict check on the canonical path of a resource which
> > I added.
> > I consider it a security feature. I think a webapp should be self
> > contained, so I think it's reasonable to have the check as the default.
> >
> > "allowLinking" disables the check.
> >
> > Don't be lazy, just do a search in FileDirContext ;-)
>
> I take a look at this but but digester didn't use FileDirContext so the
> allowLinking didn't fit.
>
> The problem seems be only in Digester which fail to load
> ../../../settings.xml
>
> What could we do ?
>
Haven't looked at the code, but here's a couple of thoughts that might
help:
If your path above ("../../../settings.xml") is attempting to go above
the context root of the webapp, it's pretty much guaranteed to fail
because of the security restrictions. Undoing that restriction would just
create a bunch of CERT reports about Tomcat letting you browse the entire
directory structure of your disk.
One of the important enablers for using external entity files in Digester
is to use the Digester.parse() that takes an InputSource (rather than an
InputStream), and be sure you have configured your InputSource to include
the source URL. That is necessary for the XML parser to be able to
resolve relative system ids. The code in ContextConfig that parses
web.xml and TLD files was modified (a while back) to do this kind of
thing, if you need an example.
> PS: I tried with TC 4.1.x and all commons from CVS.
>
Craig
>
> at
>
>org.apache.naming.resources.DirContextURLConnection.getInputStream(DirContextURLConnection.java:344)
> at java.net.URL.openStream(URL.java:793)
> at
> org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:807)
> at
> org.apache.xerces.impl.XMLEntityManager.startEntity(XMLEntityManager.java:738)
> at
> org.apache.xerces.impl.XMLDTDScannerImpl.startPE(XMLDTDScannerImpl.java:609)
> at
> org.apache.xerces.impl.XMLDTDScannerImpl.skipSeparator(XMLDTDScannerImpl.java:1927)
> at
> org.apache.xerces.impl.XMLDTDScannerImpl.scanDecls(XMLDTDScannerImpl.java:1889)
> at
>
>org.apache.xerces.impl.XMLDTDScannerImpl.scanDTDInternalSubset(XMLDTDScannerImpl.java:359)
> at
>
>org.apache.xerces.impl.XMLDocumentScannerImpl$DTDDispatcher.dispatch(XMLDocumentScannerImpl.java:808)
> at
>
>org.apache.xerces.impl.XMLDocumentFragmentScannerImpl.scanDocument(XMLDocumentFragmentScannerImpl.java:329)
> at
> org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:525)
> at
> org.apache.xerces.parsers.DTDConfiguration.parse(DTDConfiguration.java:581)
> at org.apache.xerces.parsers.XMLParser.parse(XMLParser.java:152)
> at
> org.apache.xerces.parsers.AbstractSAXParser.parse(AbstractSAXParser.java:1175)
> at org.apache.commons.digester.Digester.parse(Digester.java:1542)
> at
> org.apache.catalina.startup.ContextConfig.applicationConfig(ContextConfig.java:282)
> at org.apache.catalina.startup.ContextConfig.start(ContextConfig.java:639)
> at
> org.apache.catalina.startup.ContextConfig.lifecycleEvent(ContextConfig.java:243)
> at
>
>org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:166)
> at
> org.apache.catalina.core.StandardContext.start(StandardContext.java:3567)
> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
> at org.apache.catalina.core.StandardHost.start(StandardHost.java:738)
> at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1188)
> at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:347)
> at org.apache.catalina.core.StandardService.start(StandardService.java:497)
>
>
>
>
>
>
>
>
>
>
> --
> To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
>
>
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
