On Thu, 10 Oct 2002, Henri Gomez wrote:
> Date: Thu, 10 Oct 2002 08:10:03 +0200
> From: Henri Gomez <[EMAIL PROTECTED]>
> Reply-To: Tomcat Developers List <[EMAIL PROTECTED]>
> To: Tomcat Developers List <[EMAIL PROTECTED]>
> Subject: Re: apps conversion from 3.3.1 to 4.1.12
>
> > If this reference is in your web.xml file, then my suggestion is already
> > being done. To test it, try temporarily copying the settings.xml file
> > into the WEB-INF directory and changing the relative URL appropriately.
>
> Putting the file in WEB-INF works, even if I use ../settings, ie
> directly in webapps/ROOT.
>
> > I'd be -1 on removing the security check in 4.x/5.x. Fixing 3.3.2 sounds
> > like a good idea.
>
> I'll be -1 to fix the 3.3.2 for many reasons :
>
> - It will brake all deployment strategy
>
> - I'm still not sure it's a security problem since nobody prevent
> you to change to PUBLIC and goes outside :
>
> <!ENTITY % settings SYSTEM "../../../settings.xml"> %settings;
>
> to
>
> <!ENTITY % settings PUBLIC "hackme" "http://hackme.com/settings.xml";>
> %settings;
>
> That's more than insecure isn't it ?
>
Not if you put the settings file inside "/WEB-INF" where it is not
accessible to external clients.
> I take a look in specs and didn't see anything preventing you to have
> entities located outside WEBAPP so I feel it's a regression and not a
> security feature.
>
> Ad minima, in TC 4.x and 5.x, there should be a setting in web.xml,
> or server.xml to enable this behaviour even if it's prevented by default.
>
-1, for at least three reasons:
* Such a path is non-sensical when you run webapps directly from
WAR files, because the base resource (inside the WAR) does not
have a file path.
* The URL to the base resource is being handled by a URLStreamHandler
provided by the servlet container (the "jndi:" prefix in Tomcat 4),
and the spec disallows access to resources outside the WAR.
* The behavior you describe would allow any webapp to snoop the entire
directory structure of your server with a suitably construced
relative path. *You* may be running on an OS that supports access
permissions (and understand how to use them), but that doesn't help
the poor sod who uses something like Win98.
Keep in mind that if it works here, it will also would work
on something like:
InputStream stream =
getServletContext().getResourceAsStream("../../../etc/passwd");
with some suitable number of ".." depending on where you've got
Tomcat installed.
Craig
--
To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]>
For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
