remm 01/04/05 11:55:03
Modified: catalina/src/share/org/apache/catalina/servlets
WebdavServlet.java
Log:
- Protect /WEB-INF and /META-INF from being deleted with a command
like DELETE /webdav (which can easily be issued using the Slide WebDAV client
by typing "delete .").
It's very likely there is a simlar problem with COPY (which can be used to write in
/WEB-INF or /META-INF).
Problem reported by Max du Prel <mduprel at leveld.de>
Revision Changes Path
1.15 +13 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
Index: WebdavServlet.java
===================================================================
RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
retrieving revision 1.14
retrieving revision 1.15
diff -u -r1.14 -r1.15
--- WebdavServlet.java 2001/04/04 18:23:06 1.14
+++ WebdavServlet.java 2001/04/05 18:55:02 1.15
@@ -1,7 +1,7 @@
/*
- * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.14 2001/04/04 18:23:06 remm Exp $
- * $Revision: 1.14 $
- * $Date: 2001/04/04 18:23:06 $
+ * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
1.15 2001/04/05 18:55:02 remm Exp $
+ * $Revision: 1.15 $
+ * $Date: 2001/04/05 18:55:02 $
*
* ====================================================================
*
@@ -125,7 +125,7 @@
* are handled by the DefaultServlet.
*
* @author Remy Maucherat
- * @version $Revision: 1.14 $ $Date: 2001/04/04 18:23:06 $
+ * @version $Revision: 1.15 $ $Date: 2001/04/05 18:55:02 $
*/
public class WebdavServlet
@@ -1752,6 +1752,15 @@
private void deleteCollection(HttpServletRequest req,
DirContext resources,
String path, Hashtable errorList) {
+
+ if (debug > 1)
+ System.out.println("Delete:" + path);
+
+ if ((path.toUpperCase().startsWith("/WEB-INF")) ||
+ (path.toUpperCase().startsWith("/META-INF"))) {
+ errorList.put(path, new Integer(WebdavStatus.SC_FORBIDDEN));
+ return;
+ }
String ifHeader = req.getHeader("If");
if (ifHeader == null)