Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-14615

ServletContext.getResourceAsStream, for deployments which have (Java EE) servlet overlays, serves files which are outside of the deployment

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done
    • Icon: Critical Critical
    • 7.2.0.CD12
    • None
    • Undertow
    • None

      A user has reported in the forums that there appears to be an issue (since 9.0.x till present 11.0.0 WildFly releases) where files like `/etc/passwd` are served by the web container to the clients, when the client requests a crafted URL against a Java EE deployment which has (Java EE) servlet overlays. Please see the referenced forum thread[1] for more details.

      Although, the steps noted in that thread involves Spring framework and gets triggered in a very specific way, the root cause appears to be the call to `ServletContext.getResourceAsInputStream` (which is what the spring framework ends up calling with a path like "/../../../../../../../..//etc/passwd", ends up actually serving the resource even if the path is outside the scope of the deployment to which the servlet context belongs.

      I could reproduce this against the latest WildFly in a simple test case that's here [2]

      [1] https://developer.jboss.org/thread/276826
      [2] https://github.com/jaikiran/wildfly/commit/ed05258aa824ab91a52ef6554e9707531a2cc83b

      P.S: The credit for reporting this issue should go to Laurent Roussel who reported this in the forum thread, but I don't have access to change the "Reporter" field of the JIRA

              jperkins-rhn James Perkins
              lroussel35 Laurent Roussel (Inactive)
              Jan Stourac Jan Stourac
              Jan Stourac Jan Stourac
              Carlo de Wolf, Sande Gilda (Inactive), Yeray Borges Santana
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: