Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Major
Fix Version/s: 2.1.8.Final, 2.2.8.Final, 2.0.37.Final
Affects Version/s: 2.1.7.Final
Component/s: Core
Labels:
None

Steps to Reproduce:
Hide

Install a EAP 7.3.6 and then deploy IssueTest.war

From a browser visit http://localhost:8080/IssueTest/jsp/forward-1.jsp

The above jsp tries to forward request to web.xml file using below code with relative path ../../../../WEB-INF/web.xml.

request.getRequestDispatcher("../../../../WEB-INF/web.xml").forward(request, response);

Expected result: The calculated path goes outside/beyond the context root /IssueTest and a null should be returned by method getRequestDispatcher().

Actual result: the content of web.xml file is returned to browser and there is no error.
Show
Install a EAP 7.3.6 and then deploy IssueTest.war From a browser visit http://localhost:8080/IssueTest/jsp/forward-1.jsp The above jsp tries to forward request to web.xml file using below code with relative path ../../../../WEB-INF/web.xml . request.getRequestDispatcher( "../../../../WEB-INF/web.xml" ).forward(request, response); Expected result: The calculated path goes outside/beyond the context root /IssueTest and a null should be returned by method getRequestDispatcher() . Actual result: the content of web.xml file is returned to browser and there is no error.
Release Note Text:
Undefined
Git Pull Request:
https://github.com/undertow-io/undertow/pull/1117, https://github.com/undertow-io/undertow/pull/1118, https://github.com/undertow-io/undertow/pull/1119, https://github.com/undertow-io/undertow/pull/1151, https://github.com/undertow-io/undertow/pull/1152, https://github.com/undertow-io/undertow/pull/1153

In Undertow, when the class io.undertow.util.CanonicalPathUtils is used to canonicalize a given path URI, it may ignore some two-dot segments (../) when the calculated path goes beyond/outside the servlet context.

The javadoc of getRequestDipatcher says:

The pathname specified may be relative, although it cannot extend outside the current servlet context. If the path begins with a "/" it is interpreted as relative to the current context root. This method returns null if the servlet container cannot return a RequestDispatcher.

So a path like /../../../something is currently returning the dispatcher to /something which is against the spec or at least very weird. Returning null is much more aligned with the spec and with the reference implementation.

There will be a way (system property) of setting back the previous behavior just in case.

- - Sort By Name
  - Sort By Date
  - Ascending
  - Descending
  - Thumbnails
  - List
  - Download All

IssueTest.war
2 kB
2021/04/26 2:21 PM

causes

JBEAP-21589 [GSS](7.3.z) UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context

Verified

JBEAP-21749 [GSS](7.4.z) UNDERTOW-1886 - Undertow ignores two-dot segments in relative path URI when its canonicalized path is outside servlet context

Verified

JBEAP-23475 Error processing request when path contains "/../../"

Closed

is incorporated by

WFCORE-5425 Upgrade Undertow from 2.2.6.Final to 2.2.8.Final

Closed

Assignee:: Ricardo Martin Camarero

Reporter:: Ricardo Martin Camarero

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2021/04/26 2:20 PM

Updated:: 2022/12/06 1:49 PM

Resolved:: 2021/05/25 8:34 AM

Details

Description

Attachments

Attachments

Issue Links

Activity

People

Dates