[jboss-dev-forums] [Design the new POJO MicroContainer] - VFS security issues for jbossweb

scott.stark@jboss.org do-not-reply at jboss.com
Wed Nov 29 15:31:13 EST 2006 

Remy brought up the following issue when looking at using the vfs in jbossweb:

There is the usual issue that (among other problems) exposes JSP source (a request for foo.jsP will not match the *.jsp pattern, but the default servlet will find and serve a file named foo.jsp on the filesystem).

To check case sensitivity (on a filesystem), you have to compare the absolute path (which will return the absolute path using what you used - here, it would be /some/path/foo.jsP) with the canonical path (which will rebuild everything from the filesystem, so it would be /some/path/foo.jsp). No match means the filesystem abstraction will return null (= not found).

However, this check does not work when symlinking is used on Unix, so there's an override flag.

Example code from Tomcat:

  |     protected File file(String name) {
  | 
  |         File file = new File(base, name);
  |         if (file.exists() && file.canRead()) {
  | 
  |         	if (allowLinking)
  |         		return file;
  |         	
  |             // Check that this file belongs to our root path
  |             String canPath = null;
  |             try {
  |                 canPath = file.getCanonicalPath();
  |             } catch (IOException e) {
  |             }
  |             if (canPath == null)
  |                 return null;
  | 
  |             // Check to see if going outside of the web application root
  |             if (!canPath.startsWith(absoluteBase)) {
  |                 return null;
  |             }
  | 
  |             // Case sensitivity check
  |             if (caseSensitive) {
  |                 String fileAbsPath = file.getAbsolutePath();
  |                 if (fileAbsPath.endsWith("."))
  |                     fileAbsPath = fileAbsPath + "/";
  |                 String absPath = normalize(fileAbsPath);
  |                 if (canPath != null)
  |                     canPath = normalize(canPath);
  |                 if ((absoluteBase.length() < absPath.length())
  |                     && (absoluteBase.length() < canPath.length())) {
  |                     absPath = absPath.substring(absoluteBase.length() + 1);
  |                     if ((canPath == null) || (absPath == null))
  |                         return null;
  |                     if (absPath.equals(""))
  |                         absPath = "/";
  |                     canPath = canPath.substring(absoluteBase.length() + 1);
  |                     if (canPath.equals(""))
  |                         canPath = "/";
  |                     if (!canPath.equals(absPath))
  |                         return null;
  |                 }
  |             }
  | 
  |         } else {
  |             return null;
  |         }
  |         return file;
  | 
  |     }
  | 

Note: The normalization thingie removes ".." and things like that. It is there because of possible usage through the request dispatcher.

Note2: These operations are expensive, but there's a cache (another dir context) on top of that dir context.




View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=3989813#3989813

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=3989813

More information about the jboss-dev-forums mailing list