[jboss-jira] [JBoss JIRA] (WFLY-9620) ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment

Yeray Borges (JIRA) issues at jboss.org
Fri Feb 16 09:49:00 EST 2018 

     [ https://issues.jboss.org/browse/WFLY-9620?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]

Yeray Borges updated WFLY-9620:
-------------------------------
    Git Pull Request: https://github.com/wildfly/wildfly/pull/10748, https://github.com/wildfly/wildfly/pull/10784, https://github.com/wildfly/wildfly/pull/10815, https://github.com/wildfly/wildfly/pull/10898  (was: https://github.com/wildfly/wildfly/pull/10748, https://github.com/wildfly/wildfly/pull/10784, https://github.com/wildfly/wildfly/pull/10815, https://issues.jboss.org/browse/WFLY-9620)


> ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment
> -------------------------------------------------------------------------------------------------------------------------------------------
>
>                 Key: WFLY-9620
>                 URL: https://issues.jboss.org/browse/WFLY-9620
>             Project: WildFly
>          Issue Type: Bug
>          Components: Web (Undertow)
>    Affects Versions: 9.0.2.Final, 10.1.0.Final, 11.0.0.Final
>            Reporter: Laurent ROUSSEL
>            Assignee: Yeray Borges
>            Priority: Critical
>             Fix For: 12.0.0.Beta1
>
>
> A user has reported in the forums that there appears to be an issue (since 9.0.x till present 11.0.0 WildFly releases) where files like `/etc/passwd` are served by the web container to the clients, when the client requests a crafted URL against a Java EE deployment which has (Java EE) servlet overlays. Please see the referenced forum thread[1] for more details.
> Although, the steps noted in that thread involves Spring framework and gets triggered in a very specific way, the root cause appears to be the call to `ServletContext.getResourceAsInputStream` (which is what the spring framework ends up calling with a path like "/../../../../../../../..//etc/passwd", ends up actually serving the resource even if the path is outside the scope of the deployment to which the servlet context belongs.
> I could reproduce this against the latest WildFly in a simple test case that's here [2]
> [1] https://developer.jboss.org/thread/276826
> [2] https://github.com/jaikiran/wildfly/commit/ed05258aa824ab91a52ef6554e9707531a2cc83b
> P.S: The credit for reporting this issue should go to Laurent Roussel who reported this in the forum thread, but I don't have access to change the "Reporter" field of the JIRA



--
This message was sent by Atlassian JIRA
(v7.5.0#75005)

More information about the jboss-jira mailing list