WW-2779 Directory traversal vulnerability while serving static content

git-svn-id: https://svn.apache.org/repos/asf/struts/struts2/trunk@688095 13f79535-47bb-0310-9956-ffa450edef68
apache · Aug 22, 2008 · 1f1c996 · 1f1c996
1 parent 3a08768
commit 1f1c996
Showing 1 changed file with 24 additions and 0 deletions.
diff --git a/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java b/core/src/test/java/org/apache/struts2/dispatcher/StaticContentLoaderTest.java
@@ -69,6 +69,30 @@ public void testInvalidRersources1() throws IOException {
         assertEquals(0, res.getContentLength());
     }
 
+    public void testInvalidRersources2() throws IOException {
+        contentLoader.findStaticResource("/struts/..", req, res);
+        assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus());
+        assertEquals(0, res.getContentLength());
+    }
+
+    public void testInvalidRersources3() throws IOException {
+        contentLoader.findStaticResource("/struts/../othertest.properties", req, res);
+        assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus());
+        assertEquals(0, res.getContentLength());
+    }
+
+    public void testInvalidRersources4() throws IOException {
+        contentLoader.findStaticResource("/struts/..%252f", req, res);
+        assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus());
+        assertEquals(0, res.getContentLength());
+    }
+
+    public void testInvalidRersources5() throws IOException {
+        contentLoader.findStaticResource("/struts/..%252fothertest.properties", req, res);
+        assertEquals(HttpServletResponse.SC_NOT_FOUND, res.getStatus());
+        assertEquals(0, res.getContentLength());
+    }
+
     @Override
     protected void setUp() throws Exception {
         super.setUp();