Lines 43-48
Link Here
|
43 |
import org.apache.catalina.Wrapper; |
43 |
import org.apache.catalina.Wrapper; |
44 |
import org.apache.catalina.deploy.ApplicationParameter; |
44 |
import org.apache.catalina.deploy.ApplicationParameter; |
45 |
import org.apache.catalina.util.Enumerator; |
45 |
import org.apache.catalina.util.Enumerator; |
|
|
46 |
import org.apache.catalina.util.RequestUtil; |
46 |
import org.apache.catalina.util.ResourceSet; |
47 |
import org.apache.catalina.util.ResourceSet; |
47 |
import org.apache.catalina.util.ServerInfo; |
48 |
import org.apache.catalina.util.ServerInfo; |
48 |
import org.apache.catalina.util.StringManager; |
49 |
import org.apache.catalina.util.StringManager; |
Lines 388-394
Link Here
|
388 |
path = path.substring(0, pos); |
389 |
path = path.substring(0, pos); |
389 |
} |
390 |
} |
390 |
|
391 |
|
391 |
path = normalize(path); |
392 |
path = RequestUtil.normalize(path); |
392 |
if (path == null) |
393 |
if (path == null) |
393 |
return (null); |
394 |
return (null); |
394 |
|
395 |
|
Lines 475-481
Link Here
|
475 |
throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path)); |
476 |
throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path)); |
476 |
} |
477 |
} |
477 |
|
478 |
|
478 |
path = normalize(path); |
479 |
path = RequestUtil.normalize(path); |
479 |
if (path == null) |
480 |
if (path == null) |
480 |
return (null); |
481 |
return (null); |
481 |
|
482 |
|
Lines 524-533
Link Here
|
524 |
*/ |
525 |
*/ |
525 |
public InputStream getResourceAsStream(String path) { |
526 |
public InputStream getResourceAsStream(String path) { |
526 |
|
527 |
|
527 |
path = normalize(path); |
|
|
528 |
if (path == null || !path.startsWith("/")) |
528 |
if (path == null || !path.startsWith("/")) |
529 |
return (null); |
529 |
return (null); |
530 |
|
530 |
|
|
|
531 |
path = RequestUtil.normalize(path); |
532 |
if (path == null) |
533 |
return null; |
534 |
|
531 |
DirContext resources = context.getResources(); |
535 |
DirContext resources = context.getResources(); |
532 |
if (resources != null) { |
536 |
if (resources != null) { |
533 |
try { |
537 |
try { |
Lines 560-566
Link Here
|
560 |
(sm.getString("applicationContext.resourcePaths.iae", path)); |
564 |
(sm.getString("applicationContext.resourcePaths.iae", path)); |
561 |
} |
565 |
} |
562 |
|
566 |
|
563 |
path = normalize(path); |
567 |
path = RequestUtil.normalize(path); |
564 |
if (path == null) |
568 |
if (path == null) |
565 |
return (null); |
569 |
return (null); |
566 |
|
570 |
|
Lines 870-914
Link Here
|
870 |
|
874 |
|
871 |
|
875 |
|
872 |
/** |
876 |
/** |
873 |
* Return a context-relative path, beginning with a "/", that represents |
|
|
874 |
* the canonical version of the specified path after ".." and "." elements |
875 |
* are resolved out. If the specified path attempts to go outside the |
876 |
* boundaries of the current context (i.e. too many ".." path elements |
877 |
* are present), return <code>null</code> instead. |
878 |
* |
879 |
* @param path Path to be normalized |
880 |
*/ |
881 |
private String normalize(String path) { |
882 |
|
883 |
if (path == null) { |
884 |
return null; |
885 |
} |
886 |
|
887 |
String normalized = path; |
888 |
|
889 |
// Normalize the slashes |
890 |
if (normalized.indexOf('\\') >= 0) |
891 |
normalized = normalized.replace('\\', '/'); |
892 |
|
893 |
// Resolve occurrences of "/../" in the normalized path |
894 |
while (true) { |
895 |
int index = normalized.indexOf("/../"); |
896 |
if (index < 0) |
897 |
break; |
898 |
if (index == 0) |
899 |
return (null); // Trying to go outside our context |
900 |
int index2 = normalized.lastIndexOf('/', index - 1); |
901 |
normalized = normalized.substring(0, index2) + |
902 |
normalized.substring(index + 3); |
903 |
} |
904 |
|
905 |
// Return the normalized path that we have completed |
906 |
return (normalized); |
907 |
|
908 |
} |
909 |
|
910 |
|
911 |
/** |
912 |
* Merge the context initialization parameters specified in the application |
877 |
* Merge the context initialization parameters specified in the application |
913 |
* deployment descriptor with the application parameters described in the |
878 |
* deployment descriptor with the application parameters described in the |
914 |
* server configuration, respecting the <code>override</code> property of |
879 |
* server configuration, respecting the <code>override</code> property of |