https://issues.apache.org/bugzilla/show_bug.cgi?id=56070
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Mark Thomas <ma...@apache.org> --- There is nothing in the Servlet specification or the Javadoc for ClassLoader.getResource() that states that if the input is not normalized that this must be retained in the provided URL. Your security validation code should be testing the input to ClassLoader.getResource() rather than the output. Even then, depending on the rest of the code, that may be very easy to bypass. Note that Tomcat will not allow an application to access a resource that it outside of the web application context root. "/" returns the path to "/WEB-INF/classes", "../.." returns the path to the context root and "../../.." returns null. This is more to detect bugs than a security measure as an application could easily just access the file system directly. You need to run under a security manager to prevent that sort of thing. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org