Trying to drag a legacy app forward and running into a breaking change
based on the fact that we're using struts2 to serve some JSPs from a
directory outside our context root by taking advantage of the now-patched
directory traversal exploit.

Essentially the action class is returning @Result(location="../../foo.jsp").
Previously this would be flattened from
appName/web-inf/content/../../foo.jsp into appName/foo.jsp (I think by
RequestUtil ?) but now it is not, so the StrictHttpFirewall isNormalized
check fails.

My question is if there's any way to configure our installation in some way
to either identify the alternate directory as a root for these other jsps
(while still functioning for the jsps that are correctly in
web-inf/content) or to allow a specific directory traversal in some

Appreciate any input!


Reply via email to