[JBoss-dev] CVS update: contrib/jetty/src/main/org/mortbay/http HttpContext.java

Mon, 11 Mar 2002 17:38:13 -0800 

  User: gregwilkins
  Date: 02/03/11 17:50:52

  Modified:    jetty/src/main/org/mortbay/http HttpContext.java
  Log:
  Fixed rather embarrasing security problem with security constraints.
  
  A constraint at /my/secret/stuff/* could be bypassed with //my//secret//stuff
  
  The Jetty recommendation has always been to restrict / and then relax constraints
  for things like /my/public/stuff/*.  Webapps that took this safer approach were
  not effected.
  
  Revision  Changes    Path
  1.7       +4 -2      contrib/jetty/src/main/org/mortbay/http/HttpContext.java
  
  Index: HttpContext.java
  ===================================================================
  RCS file: /cvsroot/jboss/contrib/jetty/src/main/org/mortbay/http/HttpContext.java,v
  retrieving revision 1.6
  retrieving revision 1.7
  diff -u -r1.6 -r1.7
  --- HttpContext.java  11 Mar 2002 05:28:59 -0000      1.6
  +++ HttpContext.java  12 Mar 2002 01:50:51 -0000      1.7
  @@ -1,6 +1,6 @@
   // ========================================================================
   // Copyright (c) 2000 Mort Bay Consulting (Australia) Pty. Ltd.
  -// $Id: HttpContext.java,v 1.6 2002/03/11 05:28:59 janb Exp $
  +// $Id: HttpContext.java,v 1.7 2002/03/12 01:50:51 gregwilkins Exp $
   // ========================================================================
   
   package org.mortbay.http;
  @@ -30,6 +30,7 @@
   import org.mortbay.util.MultiException;
   import org.mortbay.util.Resource;
   import org.mortbay.util.StringUtil;
  +import org.mortbay.util.URI;
   
   /* ------------------------------------------------------------ */
   /** Context for a collection of HttpHandlers.
  @@ -54,7 +55,7 @@
    * @see HttpServer
    * @see HttpHandler
    * @see org.mortbay.jetty.servlet.ServletHttpContext
  - * @version $Id: HttpContext.java,v 1.6 2002/03/11 05:28:59 janb Exp $
  + * @version $Id: HttpContext.java,v 1.7 2002/03/12 01:50:51 gregwilkins Exp $
    * @author Greg Wilkins (gregw)
    */
   public class HttpContext implements LifeCycle
  @@ -1327,6 +1328,7 @@
                             HttpResponse response)
           throws HttpException, IOException
       {
  +     pathInContext=URI.canonicalPath(pathInContext);
           // Save the thread context loader
           Thread thread = Thread.currentThread();
           ClassLoader lastContextLoader=thread.getContextClassLoader();
  
  
  

_______________________________________________
Jboss-development mailing list
[EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/jboss-development

Reply via email to