cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets WebdavServlet.java

Thu, 05 Apr 2001 11:44:54 -0700 

remm        01/04/05 12:03:09

  Modified:    catalina/src/share/org/apache/catalina/servlets
                        WebdavServlet.java
  Log:
  - Prevent COPY method from manipulating anything in /WEB-INF or /META-INF.
    Note : That could only happen when a user had red/write access on the
    context.
  
  Revision  Changes    Path
  1.16      +18 -4     
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
  
  Index: WebdavServlet.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
  retrieving revision 1.15
  retrieving revision 1.16
  diff -u -r1.15 -r1.16
  --- WebdavServlet.java        2001/04/05 18:55:02     1.15
  +++ WebdavServlet.java        2001/04/05 19:03:08     1.16
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
 1.15 2001/04/05 18:55:02 remm Exp $
  - * $Revision: 1.15 $
  - * $Date: 2001/04/05 18:55:02 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java,v
 1.16 2001/04/05 19:03:08 remm Exp $
  + * $Revision: 1.16 $
  + * $Date: 2001/04/05 19:03:08 $
    *
    * ====================================================================
    *
  @@ -125,7 +125,7 @@
    * are handled by the DefaultServlet.
    *
    * @author Remy Maucherat
  - * @version $Revision: 1.15 $ $Date: 2001/04/05 18:55:02 $
  + * @version $Revision: 1.16 $ $Date: 2001/04/05 19:03:08 $
    */
   
   public class WebdavServlet
  @@ -1481,10 +1481,24 @@
               }
           }
           
  +        destinationPath = normalize(destinationPath);
  +        
           if (debug > 0)
               System.out.println("Dest path :" + destinationPath);
           
  +        if ((destinationPath.toUpperCase().startsWith("/WEB-INF")) ||
  +            (destinationPath.toUpperCase().startsWith("/META-INF"))) {
  +            resp.sendError(WebdavStatus.SC_FORBIDDEN);
  +            return false;
  +        }
  +        
           String path = getRelativePath(req);
  +        
  +        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
  +            (path.toUpperCase().startsWith("/META-INF"))) {
  +            resp.sendError(WebdavStatus.SC_FORBIDDEN);
  +            return false;
  +        }
           
           if (destinationPath.equals(path)) {
               resp.sendError(WebdavStatus.SC_FORBIDDEN);

Reply via email to