[jboss-jira] [JBoss JIRA] (WFLY-9620) ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment

ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment ------------------------------------------------------------------------------------------------------------------------------------------- Key: WFLY-9620 URL: https://issues.jboss.org/browse/WFLY-9620 Project: WildFly Issue Type: Bug Components: Web (Undertow) Affects Versions: 9.0.2.Final, 10.1.0.Final, 11.0.0.Final Reporter: Laurent ROUSSEL Assignee: Yeray Borges Priority: Critical Fix For: 12.0.0.Beta1 A user has reported in the forums that there appears to be an issue (since 9.0.x till present 11.0.0 WildFly releases) where files like `/etc/passwd` are served by the web container to the clients, when the client requests a crafted URL against a Java EE deployment which has (Java EE) servlet overlays. Please see the referenced forum thread[1] for more details. Although, the steps noted in that thread involves Spring framework and gets triggered in a very specific way, the root cause appears to be the call to `ServletContext.getResourceAsInputStream` (which is what the spring framework ends up calling with a path like "/../../../../../../../..//etc/passwd", ends up actually serving the resource even if the path is outside the scope of the deployment to which the servlet context belongs. I could reproduce this against the latest WildFly in a simple test case that's here [2] [1] https://developer.jboss.org/thread/276826 [2] https://github.com/jaikiran/wildfly/commit/ed05258aa824ab91a52ef6554e9707... P.S: The credit for reporting this issue should go to Laurent Roussel who reported this in the forum thread, but I don't have access to change the "Reporter" field of the JIRA