Redefine globalXsltFile as relative to CATALINA_BASE/conf or CATALINA…

…_HOME/conf git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1578637 13f79535-47bb-0310-9956-ffa450edef68
apache · Mar 17, 2014 · 5c545da · 5c545da
1 parent b697457
commit 5c545da
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 21 deletions.
diff --git a/conf/web.xml b/conf/web.xml
@@ -88,10 +88,10 @@
   <!--                       globalXsltFile[null]                           -->
   <!--                                                                      -->
   <!--   globalXsltFile      Site wide configuration version of             -->
-  <!--                       localXsltFile This argument is expected        -->
-  <!--                       to be a physical file. [null]                  -->
-  <!--                                                                      -->
-  <!--                                                                      -->
+  <!--                       localXsltFile. This argument must be a         -->
+  <!--                       relative path that points to a location below  -->
+  <!--                       either $CATALINA_BASE/conf (checked first)     -->
+  <!--                       or $CATALINA_BASE/conf (checked second).[null] -->
 
     <servlet>
         <servlet-name>default</servlet-name>

diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -14,8 +14,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-
 package org.apache.catalina.servlets;
 
 
@@ -36,6 +34,7 @@
 import java.io.StringWriter;
 import java.util.ArrayList;
 import java.util.Iterator;
+import java.util.Locale;
 import java.util.StringTokenizer;
 
 import javax.naming.InitialContext;
@@ -1606,20 +1605,24 @@ protected InputStream findXsltInputStream(DirContext directory)
         /*  Open and read in file in one fell swoop to reduce chance
          *  chance of leaving handle open.
          */
-        if (globalXsltFile!=null) {
-            FileInputStream fis = null;
-
-            try {
-                File f = new File(globalXsltFile);
-                if (f.exists()){
-                    fis =new FileInputStream(f);
+        if (globalXsltFile != null) {
+            File f = validateGlobalXsltFile();
+            if (f != null && f.exists()){
+                FileInputStream fis = null;
+                try {
+                    fis = new FileInputStream(f);
                     byte b[] = new byte[(int)f.length()]; /* danger! */
                     fis.read(b);
                     return new ByteArrayInputStream(b);
+                } finally {
+                    if (fis != null) {
+                        try {
+                            fis.close();
+                        } catch (IOException ioe) {
+                            // Ignore
+                        }
+                    }
                 }
-            } finally {
-                if (fis!=null)
-                    fis.close();
             }
         }
 
@@ -1628,6 +1631,50 @@ protected InputStream findXsltInputStream(DirContext directory)
     }
 
 
+    private File validateGlobalXsltFile() {
+
+        File result = null;
+        String base = System.getProperty(Globals.CATALINA_BASE_PROP);
+
+        if (base != null) {
+            File baseConf = new File(base, "conf");
+            result = validateGlobalXsltFile(baseConf);
+        }
+
+        if (result == null) {
+            String home = System.getProperty(Globals.CATALINA_HOME_PROP);
+            if (home != null) {
+                File homeConf = new File(home, "conf");
+                result = validateGlobalXsltFile(homeConf);
+            }
+        }
+
+        return result;
+    }
+
+
+    private File validateGlobalXsltFile(File base) {
+        File candidate = new File(base, globalXsltFile);
+
+        // First check that the resulting path is under the provided base
+        try {
+            if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+                return null;
+            }
+        } catch (IOException ioe) {
+            return null;
+        }
+
+        // Next check that an .xlt or .xslt file has been specified
+        String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH);
+        if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xlt")) {
+            return null;
+        }
+
+        return candidate;
+    }
+
+
     // -------------------------------------------------------- protected Methods
 
 

diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
@@ -110,11 +110,12 @@ The DefaultServlet allows the following initParamters:
     <th valign='top'>globalXsltFile</th>
     <td valign='top'>
         If you wish to customize your directory listing, you
-        can use an XSL transformation. This value is an absolute
-        file name which be used for all directory listings.
-        This can be overridden per context and/or per directory. See
-        <strong>contextXsltFile</strong> and <strong>localXsltFile</strong>
-        below. The format of the xml is shown below.
+        can use an XSL transformation. This value is a relative file name (to
+        either $CATALINA_BASE/conf/ or $CATALINA_HOME/conf/) which will be used
+        for all directory listings. This can be overridden per context and/or
+        per directory. See <strong>contextXsltFile</strong> and
+        <strong>localXsltFile</strong> below. The format of the xml is shown
+        below.
     </td>
   </tr>
   <tr>