Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Minor Minor
    • Resolution: Fixed
    • Affects Version/s: 2.2.10, 2.3.6
    • Fix Version/s: 2.2.11, 2.3.6
    • Component/s: jackrabbit-webdav
    • Labels:
      None
    • Environment:
      Not applicable

      Description

      WebdavRequestImpl.getHrefLocator tests if the URI passed as parameter starts with the context path, and passes the next segments to the locator factory.

      There is a potential hole if the parameter contains "..", because "http://example.com/dav/../foo" starts with the context path "http://example.com/dav" but represents to "http://example.com/foo". Currently, it is up to the locator factory to detect this situation, meaning that every locator factory should implement this check. Additionally, DavLocatorFactory.createResourceLocator cannot throw exceptions, hence it would not fail cleanly (RuntimeException causing a 500 INTERNAL SERVER ERROR response, when a 403 FORBIDDEN status code would have been apropriate)

      Note that the Request-URI should have already been normalized by the servlet container, but in COPY/MOVE operations, the Destination-URI is not normalized.

      Conformant clients MUST NOT use dot-segments ("." or "..") [RFC 4918, Section 8.3] in Simple-Ref constructions such as the Destination header [RFC 4918, Section 10.3]), but the server should be able to detect this error.

      Proposed change in WebdavRequestImpl:193 (in package org.apache.jackrabbit.webdav from webdav/java)

      • ref = uri.getRawPath();
        + ref = uri.normalize().getRawPath();

      (This causes /dav/../foo to be rejected because it doesn't start with the context path, and accepts dav/foo/../bar because it starts with the context path)

        Activity

        Hide
        Julian Reschke added a comment -

        Path-normalize the URI before subsequent processing.

        Show
        Julian Reschke added a comment - Path-normalize the URI before subsequent processing.
        Hide
        Jukka Zitting added a comment -

        Merged to the 2.2 branch in revision 1235779.

        Show
        Jukka Zitting added a comment - Merged to the 2.2 branch in revision 1235779.

          People

          • Assignee:
            Julian Reschke
            Reporter:
            Javier Godoy
          • Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Time Tracking

              Estimated:
              Original Estimate - 10m
              10m
              Remaining:
              Remaining Estimate - 10m
              10m
              Logged:
              Time Spent - Not Specified
              Not Specified

                Development