cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java

Thu, 05 Apr 2001 11:36:49 -0700 

remm        01/04/05 11:55:03

  Modified:    catalina/src/share/org/apache/catalina/servlets
                        WebdavServlet.java
  Log:
  - Protect /WEB-INF and /META-INF from being deleted with a command
    like DELETE /webdav (which can easily be issued using the Slide WebDAV client
    by typing "delete .").
    It's very likely there is a simlar problem with COPY (which can be used to write in
    /WEB-INF or /META-INF).
    Problem reported by Max du Prel <mduprel at leveld.de>
  
  Revision  Changes    Path
  1.15      +13 -4     
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
  
  Index: WebdavServlet.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
  retrieving revision 1.14
  retrieving revision 1.15
  diff -u -r1.14 -r1.15
  --- WebdavServlet.java        2001/04/04 18:23:06     1.14
  +++ WebdavServlet.java        2001/04/05 18:55:02     1.15
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
 1.14 2001/04/04 18:23:06 remm Exp $
  - * $Revision: 1.14 $
  - * $Date: 2001/04/04 18:23:06 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
 1.15 2001/04/05 18:55:02 remm Exp $
  + * $Revision: 1.15 $
  + * $Date: 2001/04/05 18:55:02 $
    *
    * ====================================================================
    *
  @@ -125,7 +125,7 @@
    * are handled by the DefaultServlet.
    *
    * @author Remy Maucherat
  - * @version $Revision: 1.14 $ $Date: 2001/04/04 18:23:06 $
  + * @version $Revision: 1.15 $ $Date: 2001/04/05 18:55:02 $
    */
   
   public class WebdavServlet
  @@ -1752,6 +1752,15 @@
       private void deleteCollection(HttpServletRequest req, 
                                     DirContext resources, 
                                     String path, Hashtable errorList) {
  +        
  +        if (debug > 1)
  +            System.out.println("Delete:" + path);
  +        
  +        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
  +            (path.toUpperCase().startsWith("/META-INF"))) {
  +            errorList.put(path, new Integer(WebdavStatus.SC_FORBIDDEN));
  +            return;
  +        }
           
           String ifHeader = req.getHeader("If");
           if (ifHeader == null)

Reply via email to