subject:"\[Bug 56070\] the resource url is wrong\!"

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

--- Comment #6 from devali <4700...@qq.com> ---
infact,the "crossContext" needed "../../.."

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

Mark Thomas  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |INVALID

--- Comment #7 from Mark Thomas  ---
You need to stop spamming this issue with meaningless code snippets with no
context and direct your query to the Apache Tomcat users mailing list. I
strongly suggest you read this first:
http://www.catb.org/~esr/faqs/smart-questions.html

If you continue to spam this issue, your account will be disabled.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

--- Comment #5 from devali <4700...@qq.com> ---

if (!allowLinking||!crossContext)
{
  normalizing...
}


or

private Boolean disallowOutSite;

public void setDisallowOutSite(Boolean disallowOutSite){
 this.disallowOutSite=disallowOutSite;
}

if (disallowOutSite)
{
  normalizing...
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

Mark Thomas  changed:

   What|Removed |Added

 Status|REOPENED|RESOLVED
 Resolution|--- |INVALID

--- Comment #3 from Mark Thomas  ---
That previous comment does not make any sense. My comment #1 above stands. If
you require further assistance please use the Apache Tomcat users mailing list.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

devali <4700...@qq.com> changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|INVALID |---

--- Comment #4 from devali <4700...@qq.com> ---
How the:
if (!allowLinking||crossContext)
{
  normalizing...
}

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

devali <4700...@qq.com> changed:

   What|Removed |Added

 Status|RESOLVED|REOPENED
 Resolution|INVALID |---

--- Comment #2 from devali <4700...@qq.com> ---
my site real path is :
/home/tomcat/webapps/ROOT/
and this case resource url:
/home/tomcat/webapps/ROOT/WEB-INF/classes/myweb/../tmplog/logs
it isn't out site my web.

And ,StandardRoot had the "allowLinking",not need normalize url.
if "normalized url" the "allowLinking" not work.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-28 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |RESOLVED
 Resolution|--- |INVALID

--- Comment #1 from Mark Thomas  ---
There is nothing in the Servlet specification or the Javadoc for
ClassLoader.getResource() that states that if the input is not normalized that
this must be retained in the provided URL.

Your security validation code should be testing the input to
ClassLoader.getResource() rather than the output. Even then, depending on the
rest of the code, that may be very easy to bypass.

Note that Tomcat will not allow an application to access a resource that it
outside of the web application context root. "/" returns the path to
"/WEB-INF/classes", "../.." returns the path to the context root and "../../.."
returns null. This is more to detect bugs than a security measure as an
application could easily just access the file system directly. You need to run
under a security manager to prevent that sort of thing.

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

2014-01-27 Thread bugzilla

https://issues.apache.org/bugzilla/show_bug.cgi?id=56070

devali <4700...@qq.com> changed:

   What|Removed |Added

   Priority|P2  |P1
 OS||All
   Severity|normal  |regression

-- 
You are receiving this mail because:
You are the assignee for the bug.

-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

[Bug 56070] the resource url is wrong!

8 matches

Site Navigation

Mail list logo

Footer information