https://bz.apache.org/bugzilla/show_bug.cgi?id=63104
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
OS| |All
Resolution|--- |WONTFIX
Status|NEW |RESOLVED
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
I'd argue that the behaviour in this case is undefined.
The Javadoc says that an MalformedURLException should be thrown if "if the
pathname is not given in the correct form".
A path of "/../../" is in the correct form. The Javadoc states that "The path
must begin with a / and is interpreted as relative to the current context
root...". It does not state that the path must point to a resource within the
web application. On that basis, "/../../" is in the correct form.
Whether the Javadoc should be more explicit (I'd argue it should) is something
to raise with the Servlet EG at
https://github.com/eclipse-ee4j/servlet-api/issues
Since the behaviour is undefined, containers are free to choose their own
behaviour in this instance. Tomcat has opted to throw an IAE in an attempt to
make it clear that something has gone badly wrong. Trying to step outside the
web application root can be an indication of a path traversal attack.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
