Uploaded image for project: 'JBoss Enterprise Application Platform'
  1. JBoss Enterprise Application Platform
  2. JBEAP-21749

[GSS](7.4.z) UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context

XMLWordPrintable

    • False
    • False
    • +
    • Undefined
    • Hide
      1. Install a EAP 7.3.6 and then deploy IssueTest.war
      2. From a browser visit http://localhost:8080/IssueTest/jsp/forward-1.jsp
      3. The above jsp tries to forward request to web.xml file using below code with relative path "../../../../WEB-INF/web.xml"
      request.getRequestDispatcher("../../../../WEB-INF/web.xml").forward(request, response);
      

      Expected result: The calculated path goes outside/beyond the context root /IssueTest and a null should be returned by method getRequestDispatcher() , with proper error/warning message.

      Actual result: the content of web.xml file is returned to browser and there is no error.

      Show
      Install a EAP 7.3.6 and then deploy IssueTest.war From a browser visit http://localhost:8080/IssueTest/jsp/forward-1.jsp The above jsp tries to forward request to web.xml file using below code with relative path "../../../../WEB-INF/web.xml" request.getRequestDispatcher( "../../../../WEB-INF/web.xml" ).forward(request, response); Expected result: The calculated path goes outside/beyond the context root /IssueTest and a null should be returned by method getRequestDispatcher() , with proper error/warning message. Actual result: the content of web.xml file is returned to browser and there is no error.

      In Undertow, when the class "io.undertow.util.CanonicalPathUtils" is used to canonicalize a given path URI, it may ignore some two-dot segments (../) when the calculated path goes beyond/outside the servlet context.

      Reference: JBEAP-21543

      The javadoc of getRequestDipatcher says:

      The pathname specified may be relative, although it cannot extend outside the current servlet context. If the path begins with a "/" it is interpreted as relative to the current context root. This method returns null if the servlet container cannot return a RequestDispatcher.

      So a path like /../../../something is currently returning the dispatcher to /something which is against the spec or at least very weird. Returning null is much more aligned with the spec and with the reference implementation.

      There will be a way (system property) of setting back the previous behavior just in case.

            rhn-support-rmartinc Ricardo Martin Camarero
            rhn-support-rmartinc Ricardo Martin Camarero
            Votes:
            0 Vote for this issue
            Watchers:
            4 Start watching this issue

              Created:
              Updated:
              Resolved: