Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8158

JSP source code leak when space and periods added at the end of the URL

    Details

    • Type: Bug
    • Status: Closed (View Workflow)
    • Priority: Blocker
    • Resolution: Duplicate Issue
    • Affects Version/s: 8.2.0.Final
    • Fix Version/s: None
    • Component/s: Web (Undertow)
    • Labels:
      None
    • Workaround Description:
      Hide

      Applying the following changes to undertow addresses this:

      undertow$ git diff
      diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
      --- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
      +++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
      @@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager {
                       if(path.endsWith("/") && ! file.isDirectory()) {
                           //UNDERTOW-432 don't return non directories if the path ends with a /
                           return null;
      +                } else if(path.endsWith(".")) {
      +                    return null;
                       }
                       boolean isSymlinkPath = isSymlinkPath(base, file);
                       if (isSymlinkPath) {
      diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
      --- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
      +++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
      @@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler {
                           exchange.setResponseCode(404);
                           exchange.endExchange();
                           return;
      +                } else if(exchange.getRelativePath().endsWith(".")) {
      +                    exchange.setResponseCode(404);
      +                    exchange.endExchange();
      +                    return;
                       }
       
                       final ETag etag = resource.getETag();
      diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
      --- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
      +++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
      @@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet {
                       //UNDERTOW-432
                       resp.sendError(404);
                       return;
      +            } else if(path.endsWith(".")) {
      +                resp.sendError(404);
      +                return;
                   }
                   serveFileBlocking(req, resp, resource);
               }
      

      Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432).

      This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.

      Show
      Applying the following changes to undertow addresses this: undertow$ git diff diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java --- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java @@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager { if (path.endsWith( "/" ) && ! file.isDirectory()) { //UNDERTOW-432 don't return non directories if the path ends with a / return null ; + } else if (path.endsWith( "." )) { + return null ; } boolean isSymlinkPath = isSymlinkPath(base, file); if (isSymlinkPath) { diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java --- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java @@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler { exchange.setResponseCode(404); exchange.endExchange(); return ; + } else if (exchange.getRelativePath().endsWith( "." )) { + exchange.setResponseCode(404); + exchange.endExchange(); + return ; } final ETag etag = resource.getETag(); diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java --- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java +++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java @@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet { //UNDERTOW-432 resp.sendError(404); return ; + } else if (path.endsWith( "." )) { + resp.sendError(404); + return ; } serveFileBlocking(req, resp, resource); } Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432). This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.

      Description

      All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.

      http://localhost:8080/application/HostPage.jsp%2E
      http://localhost:8080/application/HostPage.jsp%2E%2E
      http://localhost:8080/application/HostPage.jsp%20%2E
      http://localhost:8080/application/HostPage.jsp%20%2E%2E
      

      The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: here, and here because io.undertow.server.handlers.resource.FileResourceManager.getResource() delegates to java.io.File to test whether a file path is valid or not, and java.io.File does presumably delegate to Windows.

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  swd847 Stuart Douglas
                  Reporter:
                  markus-wahl Markus Wahl
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  3 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: