Re: pathTranslated and pathInfo... More unsafe paths

2001-03-20 Thread christopher hull 



Craig R. McClanahan wrote:

 
 On Wed, 14 Mar 2001, christopher hull wrote:
 
 
 Wow!  Thanks for the quick response.
 
 The problem it turns out has nothing to do with spaces.  When 
 getResourceAsStream() can't find a resource, it displays a space just 
 after the root for convenience.  It turns out that getResourceAsStream
   is case sensitive.  Is there a way to tell getResourceAsStream
   not to be?
 
 
 
 Servlets are case sensitive.  Tomcat 3.1 and 3.2 (without the .1
 updates) had problems in this area that caused huge security holes because
 they were NOT completely case sensitive.
 
 If you still want non-case-sensitive Tomcat, well, you've got the source
 code ... but you are totally on your own.
 
 
 Thanks;
 -Chris
 
 
 
 Craig McClanahan

Naw, case sensitive Tomcat sounds like the wrong answer.  We want to 
work with any servlet host.  We'll fix our XSL.  Thanks again.

-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card http://web.mediagate.com/chris.hull
iPost Voice408 261 7201
email  [EMAIL PROTECTED]

pathTranslated and pathInfo... More unsafe paths

2001-03-14 Thread christopher hull 


But wait...
/WEB-INF/../../env.xml
is inside of
/WEB-INF/../env.xml
(see example below)

Do you have to specify all the sub-directories that a webapp uses?

Also, I've noticed an interesting and occasionsl unsafe path where a 
space is being introduced just before the path I supply to 
getResourceAsStream.

If I say servContext.getResourceAsStream("\path\foo.html");
I occasionally get an exception stating an unsafe path of...
w:\foo\bar\tomcat\webapps \path\foo.html

A space is being introduced just before the path I supply, but only 
sometimes.

Is there a reliable way to get the document root?
PathTranslated and PathInfo don't work the way they used to.

Running Tomcat 3.2.1

-Chris



Larry Isaacs wrote:

  David,
 
  For security, web applications aren't allow to access files outside
  of the web application.  That is why /WEB-INF/../env.xml is okay
  and /WEB-INF/../../env.xml isn't.
 
  Larry
 
  -Original Message-
  From: David Soroko [mailto:[EMAIL PROTECTED]]
  Sent: Tuesday, March 13, 2001 7:53 AM
  To: [EMAIL PROTECTED]
  Subject: Unsafe path ?
 
 
  Hi all
 From within a servlet I am trying to read a file in the following way
  getServletContext().getResourceAsStream(getInitParameter("envFile"));
  When the parameter envFile has the value /WEB-INF/../../env.xml
  I am getting the following message from Tomcat:
  Unsafe path D:\Jupiter\tomcat\webapps\dir1\dir2\dir3 
/WEB-INF/../../env.xml
  Any ideas why is that?
  Interestingly, when the parameter envFile has the value 
/WEB-INF/../env.xml
  Tomcat has no problems reading the file.
  This is on Tomcat 3.2/Wintel.
  TIA


-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card http://web.mediagate.com/chris.hull
iPost Voice 408 261 7201
email [EMAIL PROTECTED]

Re: pathTranslated and pathInfo... More unsafe paths

2001-03-14 Thread christopher hull 


Wow!  Thanks for the quick response.

The problem it turns out has nothing to do with spaces.  When 
getResourceAsStream() can't find a resource, it displays a space just 
after the root for convenience.  It turns out that getResourceAsStream
  is case sensitive.  Is there a way to tell getResourceAsStream
  not to be?

Thanks;
-Chris


Craig R. McClanahan wrote:

 
 On Wed, 14 Mar 2001, christopher hull wrote:
 
 
 But wait...
 /WEB-INF/../../env.xml
 is inside of
 /WEB-INF/../env.xml
 (see example below)
 
 
 
 When you start with a slash, that means you are resolving a URL relative
 to some "base".  The base that is used depends on the context you are
 using it in:
 
 * For things like request dispatchers, and ServletContext.getResource(),
   the base is the context root of your web application.
 
 * For things sent to the browkser, like a hyperlink:
   a href="/WEB-INF/../../env.xml"Click Me/a
   the link would be resolved (by the browser) against the server root
   of your web server.
 
 
 Do you have to specify all the sub-directories that a webapp uses?
 
 Also, I've noticed an interesting and occasionsl unsafe path where a 
 space is being introduced just before the path I supply to 
 getResourceAsStream.
 
 If I say servContext.getResourceAsStream("\path\foo.html");
 
 
 This is actually an invalid path.  URLs always use forward slashes, even
 if some browsers (and some servers) let you get away with backslashes.
 
 
 I occasionally get an exception stating an unsafe path of...
 w:\foo\bar\tomcat\webapps \path\foo.html
 
 A space is being introduced just before the path I supply, but only 
 sometimes.
 
 
 
 Are you absolutely positive that the webapps directory is named
 "webapps" and not "webapps " (with a trailing space)?
 
 
 Is there a reliable way to get the document root?
 
 
 You can get the context root of your webapp by calling:
   String rootPath =
   getServletContext().getRealPath("/");
 if you are running under a servlet container that runs from unpacked
 directories (like Tomcat 3.2.1 does).  If you are running under a servlet
 container that runs web apps directly from a WAR file, there is no such
 thng as the pathname of the context root, and the above call will return
 null.
 
 
 PathTranslated and PathInfo don't work the way they used to.
 
 
 
 Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly.
 
 
 Running Tomcat 3.2.1
 
 -Chris
 
 
 
 
 Craig McClanahan


-- 

Christopher Hull
Engineering Group Manager, Senior Software Architect
Mediagate Inc.
iPost Card http://web.mediagate.com/chris.hull
iPost Voice408 261 7201
email  [EMAIL PROTECTED]