Uploaded image for project: 'WildFly'
  1. WildFly
  2. WFLY-8158

JSP source code leak when space and periods added at the end of the URL

    XMLWordPrintable

Details

    • Bug
    • Resolution: Duplicate
    • Blocker
    • None
    • 8.2.0.Final
    • Web (Undertow)
    • None
    • Hide

      Applying the following changes to undertow addresses this:

      undertow$ git diff
diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
--- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
+++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java
@@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager {
                 if(path.endsWith("/") && ! file.isDirectory()) {
                     //UNDERTOW-432 don't return non directories if the path ends with a /
                     return null;
+                } else if(path.endsWith(".")) {
+                    return null;
                 }
                 boolean isSymlinkPath = isSymlinkPath(base, file);
                 if (isSymlinkPath) {
diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
--- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
+++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java
@@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler {
                     exchange.setResponseCode(404);
                     exchange.endExchange();
                     return;
+                } else if(exchange.getRelativePath().endsWith(".")) {
+                    exchange.setResponseCode(404);
+                    exchange.endExchange();
+                    return;
                 }
 
                 final ETag etag = resource.getETag();
diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
--- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
+++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java
@@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet {
                 //UNDERTOW-432
                 resp.sendError(404);
                 return;
+            } else if(path.endsWith(".")) {
+                resp.sendError(404);
+                return;
             }
             serveFileBlocking(req, resp, resource);
         }

      Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432).

      This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.

      Show
      Applying the following changes to undertow addresses this: undertow$ git diff diff --git a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java --- a/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/FileResourceManager.java @@ -135,6 +135,8 @@ public class FileResourceManager implements ResourceManager { if (path.endsWith( "/" ) && ! file.isDirectory()) { //UNDERTOW-432 don't return non directories if the path ends with a / return null ; + } else if (path.endsWith( "." )) { + return null ; } boolean isSymlinkPath = isSymlinkPath(base, file); if (isSymlinkPath) { diff --git a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java --- a/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java +++ b/core/src/main/java/io/undertow/server/handlers/resource/ResourceHandler.java @@ -208,6 +208,10 @@ public class ResourceHandler implements HttpHandler { exchange.setResponseCode(404); exchange.endExchange(); return ; + } else if (exchange.getRelativePath().endsWith( "." )) { + exchange.setResponseCode(404); + exchange.endExchange(); + return ; } final ETag etag = resource.getETag(); diff --git a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java --- a/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java +++ b/servlet/src/main/java/io/undertow/servlet/handlers/DefaultServlet.java @@ -172,6 +172,9 @@ public class DefaultServlet extends HttpServlet { //UNDERTOW-432 resp.sendError(404); return ; + } else if (path.endsWith( "." )) { + resp.sendError(404); + return ; } serveFileBlocking(req, resp, resource); } Note the similarity that this workaround shares with the resolution of WFLY-4595 (which was implemented by commit 4c330e2ac8a3694bfc6196e7b38ba8a426f96f8c of the 1.2.x branch of the git repository ssh://git@github.com/undertow-io/undertow where it has been called UNDERTOW-432). This workaround does however forbid any serving of files that actually have a period in the end of file name, why this is perhaps not a solution but only a workaround.

    Description

      All of the following requests will return the jsp file content untransformed, meaning that the actual content of the jsp-file is returned to the browser.

      http://localhost:8080/application/HostPage.jsp%2E
http://localhost:8080/application/HostPage.jsp%2E%2E
http://localhost:8080/application/HostPage.jsp%20%2E
http://localhost:8080/application/HostPage.jsp%20%2E%2E

      The problem with periods has perhaps to do with windows removing/accepting trailing periods in file names: here, and here because io.undertow.server.handlers.resource.FileResourceManager.getResource() delegates to java.io.File to test whether a file path is valid or not, and java.io.File does presumably delegate to Windows.

      Attachments

        Issue Links

          is related to

          Bug - A problem that impairs or prevents the functions of the product. WFLY-4595 JSP source code leak when a slash added at the end of the URL

          • Blocker - To be worked above all other priorities. This term is chosen when the severity of the issue is very high, has no workaround, or the effort for the change is comparatively low. Issues that may be very publicly visible and could generate significant media attention may also drive a higher priority.
          • Closed

          Activity

            People

              sdouglas1@redhat.com Stuart Douglas
              markus-wahl Markus Wahl (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: