Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Directory traversal vulnerability through AbstractApplicationServlet.serveStaticResourcesInVAADIN() #1782

Closed
vaadin-bot opened this Issue Sep 27, 2011 · 4 comments

Comments

Projects
None yet
1 participant
Collaborator

vaadin-bot commented Sep 27, 2011

Originally by @hesara


Using relative paths in directory URLs, it is possible to access some files loadable through the class loader.

The directory traversal is limited to files (not JAR contents etc.) loadable through the class loader but normally not accessible from the servlet. This can, however, include the class files of the application itself.

Some application servers may be immune to this vulnerability, but Jetty is known to be vulnerable at least in certain configurations.

Portlet 2.0 (JSR-286) portlets without a separate Vaadin servlet are not affected as static resources are not loaded through Vaadin. Portlet 1.0 (JSR-168) applications are vulnerable through the Vaadin servlet used in them.

This vulnerability was discovered by Wouter Coekaerts (http://wouter.coekaerts.be).


Imported from https://dev.vaadin.com/ issue #7670

Collaborator

vaadin-bot commented Sep 27, 2011

Originally by @hesara


Fixed in [21326], reviewed by Leif and Wouter Coekaerts.

Collaborator

vaadin-bot commented Oct 2, 2011

Originally by andrewfink


Vaadin 6.6.7/6.7.0 (with this workaround) stopped working with Tomcat and antiJARLocking="true" in
webapp\META-INF\context.xml

Tomcat with [Context antiJARLocking="true"] do copy of all resources in temp dir (~C:\j\t7\work\Catalina\localhost\mywebappname\loader\VAADIN). So resourceUrl.getProtocol() is "file", not jar.

Please make better patch.

Collaborator

vaadin-bot commented Oct 2, 2011

Originally by andrewfink


workaround that works for me:

in my AbstractApplicationServlet descendant

@Override protected boolean isAllowedVAADINResourceUrl (HttpServletRequest request, URL resourceUrl) {

if ("file".equals(resourceUrl.getProtocol())) {
return !resourceUrl.getPath().contains("..");
} else {
return super.isAllowedVAADINResourceUrl(request, resourceUrl);
}
}

Collaborator

vaadin-bot commented Nov 17, 2011

Originally by @Artur-


The additional problems were fixed in #7692

@vaadin-bot vaadin-bot closed this Nov 17, 2011

@vaadin-bot vaadin-bot added the bug label Dec 9, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment