WW-2779 Directory traversal vulnerability while serving static content

git-svn-id: https://svn.apache.org/repos/asf/struts/struts2/trunk@687425 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 20, 2008 · 04fcefa · 04fcefa
1 parent e40a8e5
commit 04fcefa
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 9 deletions.
diff --git a/core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java b/core/src/main/java/org/apache/struts2/dispatcher/DefaultStaticContentLoader.java
@@ -24,13 +24,13 @@
 import java.io.InputStream;
 import java.io.OutputStream;
 import java.io.UnsupportedEncodingException;
+import java.net.URL;
 import java.net.URLDecoder;
 import java.util.ArrayList;
 import java.util.Calendar;
 import java.util.List;
 import java.util.StringTokenizer;
 
-import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
@@ -161,9 +161,21 @@ protected String[] parse(String packages) {
     public void findStaticResource(String path, HttpServletRequest request, HttpServletResponse response)
             throws IOException {
         String name = cleanupPath(path);
-        if (!name.endsWith(".class")) {
-            for (String pathPrefix : pathPrefixes) {
-                InputStream is = findInputStream(buildPath(name, pathPrefix));
+        for (String pathPrefix : pathPrefixes) {
+            URL resourceUrl = findResource(buildPath(name, pathPrefix));
+            if (resourceUrl != null) {
+                InputStream is = null;
+                try {
+                    //check that the resource path is under the pathPrefix path
+                    String pathEnding = buildPath(name, pathPrefix);
+                    if (resourceUrl.getFile().endsWith(pathEnding))
+                        is = resourceUrl.openStream();
+                } catch (Exception ex) {
+                    // just ignore it
+                    continue;
+                }
+
+                //not inside the try block, as this could throw IOExceptions also
                 if (is != null) {
                     process(is, path, request, response);
                     return;
@@ -258,8 +270,8 @@ private void initLogging(HostConfig filterConfig) {
      * @return The inputstream of the resource
      * @throws IOException If there is a problem locating the resource
      */
-    protected InputStream findInputStream(String path) throws IOException {
-        return ClassLoaderUtil.getResourceAsStream(path, getClass());
+    protected URL findResource(String path) throws IOException {
+        return ClassLoaderUtil.getResource(path, getClass());
     }
 
     /**

diff --git a/core/src/main/java/org/apache/struts2/dispatcher/StaticContentLoader.java b/core/src/main/java/org/apache/struts2/dispatcher/StaticContentLoader.java
@@ -20,14 +20,13 @@
  */
 package org.apache.struts2.dispatcher;
 
-import org.apache.struts2.dispatcher.ng.HostConfig;
-
 import java.io.IOException;
 
-import javax.servlet.FilterConfig;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
 
+import org.apache.struts2.dispatcher.ng.HostConfig;
+
 /**
  * Interface for loading static resources, based on a path
  *