Re: pathTranslated and pathInfo... More unsafe paths
Craig R. McClanahan wrote: On Wed, 14 Mar 2001, christopher hull wrote: Wow! Thanks for the quick response. The problem it turns out has nothing to do with spaces. When getResourceAsStream() can't find a resource, it displays a space just after the root for convenience. It turns out that getResourceAsStream is case sensitive. Is there a way to tell getResourceAsStream not to be? Servlets are case sensitive. Tomcat 3.1 and 3.2 (without the .1 updates) had problems in this area that caused huge security holes because they were NOT completely case sensitive. If you still want non-case-sensitive Tomcat, well, you've got the source code ... but you are totally on your own. Thanks; -Chris Craig McClanahan Naw, case sensitive Tomcat sounds like the wrong answer. We want to work with any servlet host. We'll fix our XSL. Thanks again. -- Christopher Hull Engineering Group Manager, Senior Software Architect Mediagate Inc. iPost Card http://web.mediagate.com/chris.hull iPost Voice408 261 7201 email [EMAIL PROTECTED]
pathTranslated and pathInfo... More unsafe paths
But wait... /WEB-INF/../../env.xml is inside of /WEB-INF/../env.xml (see example below) Do you have to specify all the sub-directories that a webapp uses? Also, I've noticed an interesting and occasionsl unsafe path where a space is being introduced just before the path I supply to getResourceAsStream. If I say servContext.getResourceAsStream("\path\foo.html"); I occasionally get an exception stating an unsafe path of... w:\foo\bar\tomcat\webapps \path\foo.html A space is being introduced just before the path I supply, but only sometimes. Is there a reliable way to get the document root? PathTranslated and PathInfo don't work the way they used to. Running Tomcat 3.2.1 -Chris Larry Isaacs wrote: David, For security, web applications aren't allow to access files outside of the web application. That is why /WEB-INF/../env.xml is okay and /WEB-INF/../../env.xml isn't. Larry -Original Message- From: David Soroko [mailto:[EMAIL PROTECTED]] Sent: Tuesday, March 13, 2001 7:53 AM To: [EMAIL PROTECTED] Subject: Unsafe path ? Hi all From within a servlet I am trying to read a file in the following way getServletContext().getResourceAsStream(getInitParameter("envFile")); When the parameter envFile has the value /WEB-INF/../../env.xml I am getting the following message from Tomcat: Unsafe path D:\Jupiter\tomcat\webapps\dir1\dir2\dir3 /WEB-INF/../../env.xml Any ideas why is that? Interestingly, when the parameter envFile has the value /WEB-INF/../env.xml Tomcat has no problems reading the file. This is on Tomcat 3.2/Wintel. TIA -- Christopher Hull Engineering Group Manager, Senior Software Architect Mediagate Inc. iPost Card http://web.mediagate.com/chris.hull iPost Voice 408 261 7201 email [EMAIL PROTECTED]
Re: pathTranslated and pathInfo... More unsafe paths
Wow! Thanks for the quick response. The problem it turns out has nothing to do with spaces. When getResourceAsStream() can't find a resource, it displays a space just after the root for convenience. It turns out that getResourceAsStream is case sensitive. Is there a way to tell getResourceAsStream not to be? Thanks; -Chris Craig R. McClanahan wrote: On Wed, 14 Mar 2001, christopher hull wrote: But wait... /WEB-INF/../../env.xml is inside of /WEB-INF/../env.xml (see example below) When you start with a slash, that means you are resolving a URL relative to some "base". The base that is used depends on the context you are using it in: * For things like request dispatchers, and ServletContext.getResource(), the base is the context root of your web application. * For things sent to the browkser, like a hyperlink: a href="/WEB-INF/../../env.xml"Click Me/a the link would be resolved (by the browser) against the server root of your web server. Do you have to specify all the sub-directories that a webapp uses? Also, I've noticed an interesting and occasionsl unsafe path where a space is being introduced just before the path I supply to getResourceAsStream. If I say servContext.getResourceAsStream("\path\foo.html"); This is actually an invalid path. URLs always use forward slashes, even if some browsers (and some servers) let you get away with backslashes. I occasionally get an exception stating an unsafe path of... w:\foo\bar\tomcat\webapps \path\foo.html A space is being introduced just before the path I supply, but only sometimes. Are you absolutely positive that the webapps directory is named "webapps" and not "webapps " (with a trailing space)? Is there a reliable way to get the document root? You can get the context root of your webapp by calling: String rootPath = getServletContext().getRealPath("/"); if you are running under a servlet container that runs from unpacked directories (like Tomcat 3.2.1 does). If you are running under a servlet container that runs web apps directly from a WAR file, there is no such thng as the pathname of the context root, and the above call will return null. PathTranslated and PathInfo don't work the way they used to. Tomcat 3.1 had bugs in these calls -- Tomcat 3.2.1 works correctly. Running Tomcat 3.2.1 -Chris Craig McClanahan -- Christopher Hull Engineering Group Manager, Senior Software Architect Mediagate Inc. iPost Card http://web.mediagate.com/chris.hull iPost Voice408 261 7201 email [EMAIL PROTECTED]