On 30/01/2020 18:41, Alex Pritchard wrote:
> Hi,
> Trying to drag a legacy app forward and running into a breaking change
> based on the fact that we're using struts2 to serve some JSPs from a
> directory outside our context root by taking advantage of the now-patched
> directory traversal exploit.
> Essentially the action class is returning @Result(location="../../foo.jsp").
> Previously this would be flattened from
> appName/web-inf/content/../../foo.jsp into appName/foo.jsp (I think by
> RequestUtil ?) but now it is not, so the StrictHttpFirewall isNormalized
> check fails.
> My question is if there's any way to configure our installation in some way
> to either identify the alternate directory as a root for these other jsps
> (while still functioning for the jsps that are correctly in
> web-inf/content) or to allow a specific directory traversal in some
> context.
> Appreciate any input!

I think you have identified the wrong change as the root cause of the
problem. RequestUtil still normalizes, it just won't let you traverse
outside of the webapp root. The URL above would be fine.

It isn't clear to me exactly what is going on here. A step-by-step
description of what happens may help us identitfy potential root causes.

Given that the annotation uses location and that StrictHttpFirewall is
part of Spring Security, I'm wondering if a redirect is involved. If so,
maybe something to do with useRelativeRedirects on the Context
(introduced in 7.0.67)?


To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to