[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 --- Comment #6 from devali <4700...@qq.com> --- infact,the "crossContext" needed "../../.." -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #7 from Mark Thomas --- You need to stop spamming this issue with meaningless code snippets with no context and direct your query to the Apache Tomcat users mailing list. I strongly suggest you read this first: http://www.catb.org/~esr/faqs/smart-questions.html If you continue to spam this issue, your account will be disabled. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 --- Comment #5 from devali <4700...@qq.com> --- if (!allowLinking||!crossContext) { normalizing... } or private Boolean disallowOutSite; public void setDisallowOutSite(Boolean disallowOutSite){ this.disallowOutSite=disallowOutSite; } if (disallowOutSite) { normalizing... } -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 Mark Thomas changed: What|Removed |Added Status|REOPENED|RESOLVED Resolution|--- |INVALID --- Comment #3 from Mark Thomas --- That previous comment does not make any sense. My comment #1 above stands. If you require further assistance please use the Apache Tomcat users mailing list. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 devali <4700...@qq.com> changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #4 from devali <4700...@qq.com> --- How the: if (!allowLinking||crossContext) { normalizing... } -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 devali <4700...@qq.com> changed: What|Removed |Added Status|RESOLVED|REOPENED Resolution|INVALID |--- --- Comment #2 from devali <4700...@qq.com> --- my site real path is : /home/tomcat/webapps/ROOT/ and this case resource url: /home/tomcat/webapps/ROOT/WEB-INF/classes/myweb/../tmplog/logs it isn't out site my web. And ,StandardRoot had the "allowLinking",not need normalize url. if "normalized url" the "allowLinking" not work. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 Mark Thomas changed: What|Removed |Added Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #1 from Mark Thomas --- There is nothing in the Servlet specification or the Javadoc for ClassLoader.getResource() that states that if the input is not normalized that this must be retained in the provided URL. Your security validation code should be testing the input to ClassLoader.getResource() rather than the output. Even then, depending on the rest of the code, that may be very easy to bypass. Note that Tomcat will not allow an application to access a resource that it outside of the web application context root. "/" returns the path to "/WEB-INF/classes", "../.." returns the path to the context root and "../../.." returns null. This is more to detect bugs than a security measure as an application could easily just access the file system directly. You need to run under a security manager to prevent that sort of thing. -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
[Bug 56070] the resource url is wrong!
https://issues.apache.org/bugzilla/show_bug.cgi?id=56070 devali <4700...@qq.com> changed: What|Removed |Added Priority|P2 |P1 OS||All Severity|normal |regression -- You are receiving this mail because: You are the assignee for the bug. - To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org