https://issues.apache.org/bugzilla/show_bug.cgi?id=56070
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #1 from Mark Thomas <ma...@apache.org> ---
There is nothing in the Servlet specification or the Javadoc for
ClassLoader.getResource() that states that if the input is not normalized that
this must be retained in the provided URL.
Your security validation code should be testing the input to
ClassLoader.getResource() rather than the output. Even then, depending on the
rest of the code, that may be very easy to bypass.
Note that Tomcat will not allow an application to access a resource that it
outside of the web application context root. "/" returns the path to
"/WEB-INF/classes", "../.." returns the path to the context root and "../../.."
returns null. This is more to detect bugs than a security measure as an
application could easily just access the file system directly. You need to run
under a security manager to prevent that sort of thing.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
