cvs commit: jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets DefaultServlet.java

[remm]

remm        02/01/08 04:14:57

  Modified:    catalina/src/share/org/apache/catalina/servlets
                        DefaultServlet.java
  Log:
  - WARNING: Potential security problems, allowing access to WEB-INF, can
    be created by this patch, although my limited testing did not reveal any problems.
  - Fixes 5724: allow redirection to resources inside /WEB-INF, which could
    be used to set error pages.
  - I am not in favor of porting the fix to the 4.0.x branch without extensive review
    because of the possible security issues.
  
  Revision  Changes    Path
  1.50      +4 -26     
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java
  
  Index: DefaultServlet.java
  ===================================================================
  RCS file: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
  retrieving revision 1.49
  retrieving revision 1.50
  diff -u -r1.49 -r1.50
  --- DefaultServlet.java       3 Jan 2002 08:52:56 -0000       1.49
  +++ DefaultServlet.java       8 Jan 2002 12:14:57 -0000       1.50
  @@ -1,7 +1,7 @@
   /*
  - * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
 1.49 2002/01/03 08:52:56 remm Exp $
  - * $Revision: 1.49 $
  - * $Date: 2002/01/03 08:52:56 $
  + * $Header: 
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java,v
 1.50 2002/01/08 12:14:57 remm Exp $
  + * $Revision: 1.50 $
  + * $Date: 2002/01/08 12:14:57 $
    *
    * ====================================================================
    *
  @@ -125,7 +125,7 @@
    *
    * @author Craig R. McClanahan
    * @author Remy Maucherat
  - * @version $Revision: 1.49 $ $Date: 2002/01/03 08:52:56 $
  + * @version $Revision: 1.50 $ $Date: 2002/01/08 12:14:57 $
    */
   
   public class DefaultServlet
  @@ -584,12 +584,6 @@
   
           String path = getRelativePath(req);
   
  -        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
  -            (path.toUpperCase().startsWith("/META-INF"))) {
  -            resp.sendError(HttpServletResponse.SC_FORBIDDEN);
  -            return;
  -        }
  -
           // Retrieve the resources
           DirContext resources = getResources();
   
  @@ -740,12 +734,6 @@
   
           String path = getRelativePath(req);
   
  -        if ((path.toUpperCase().startsWith("/WEB-INF")) ||
  -            (path.toUpperCase().startsWith("/META-INF"))) {
  -            resp.sendError(HttpServletResponse.SC_FORBIDDEN);
  -            return;
  -        }
  -
           // Retrieve the Catalina context
           // Retrieve the resources
           DirContext resources = getResources();
  @@ -1130,16 +1118,6 @@
               else
                   log("DefaultServlet.serveResource:  Serving resource '" +
                       path + "' headers only");
  -        }
  -
  -        // Exclude any resource in the /WEB-INF and /META-INF subdirectories
  -        // (the "toUpperCase()" avoids problems on Windows systems)
  -        if ((path == null) ||
  -            path.toUpperCase().startsWith("/WEB-INF") ||
  -            path.toUpperCase().startsWith("/META-INF")) {
  -            response.sendError(HttpServletResponse.SC_NOT_FOUND, 
  -                               request.getRequestURI());
  -            return;
           }
   
           // Retrieve the Catalina context and Resources implementation
  
  
  

--
To unsubscribe, e-mail:   <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>