glassfish
  1. glassfish
  2. GLASSFISH-5605

Security: Using directory deployment on an application in a folder using non-latin characters exposes the user's hard drive.

    Details

    • Type: Bug Bug
    • Status: Resolved
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: V3
    • Fix Version/s: V3
    • Component/s: deployment
    • Labels:
      None
    • Environment:

      Operating System: Solaris
      Platform: Sun

    • Issuezilla Id:
      5,605
    • Status Whiteboard:
      Hide

      gfv3-prelude-included

      Show
      gfv3-prelude-included

      Description

      This is related to my investigations of issue 5592.

      I created a folder named "Мои документы" (Russian) on my workstation by copying
      those characters from the browser and pasting them into a command window as the
      argument to mkdir. This gave me a folder named "??? ?????????" (the space does
      not matter - same problem).

      Then I used NetBeans to create a web application inside this folder (on my
      machine, /space/tmp/??? ?????????/WebApplication33

      Finally, I deployed and ran the application. See attached image for what the
      browser does – picture means everything here.

      I only tried this on Solaris, but I would expect this problem exists on all
      platforms.

      1. server.log
        17 kB
        peterwx
      1. BrowserPicture.png
        95 kB

        Activity

        Hide
        Tim Quinn added a comment -

        I think this may be at least partly due to an earlier aspect of how
        http-submitted commands were parsed.

        Originally in the http syntax the 2nd through n-th ? marks were interpreted as
        query parameter separators because that's how the remote CLI was submitting
        them. I think currently the http command parsing treats both the 2nd through
        n-th ? and & as query parameter separators. We did that to allow people doing
        partial builds to continue to use the older client with the newer server logic.
        Treating the extra ?s as query param separators helps lead to this problem.

        We need to make sure the server side parses the path correctly and then see if
        that clears this up.

        As for the web sniffer recognizing seemingly random directories as valid web
        apps, I've corresponded separately with Peter about this. Not only is the
        presence of WEB-INF/web.xml or WEB-INF/lib or WEB-INF/classes recognized but so
        is the presence of a .jsp file anywhere in the directory tree or archive
        specified by the path on the deploy command. My guess is that is why this was
        recognized as a web app.

        Show
        Tim Quinn added a comment - I think this may be at least partly due to an earlier aspect of how http-submitted commands were parsed. Originally in the http syntax the 2nd through n-th ? marks were interpreted as query parameter separators because that's how the remote CLI was submitting them. I think currently the http command parsing treats both the 2nd through n-th ? and & as query parameter separators. We did that to allow people doing partial builds to continue to use the older client with the newer server logic. Treating the extra ?s as query param separators helps lead to this problem. We need to make sure the server side parses the path correctly and then see if that clears this up. As for the web sniffer recognizing seemingly random directories as valid web apps, I've corresponded separately with Peter about this. Not only is the presence of WEB-INF/web.xml or WEB-INF/lib or WEB-INF/classes recognized but so is the presence of a .jsp file anywhere in the directory tree or archive specified by the path on the deploy command. My guess is that is why this was recognized as a web app.
        Hide
        Tim Quinn added a comment -

        (taking ownership)

        Peter is changing the NB plug-in to use & for separators in the query string.
        Once he has completed that I will check in changes I already have in my local
        workspace to stop treating ? as a separator.

        Separate but related to this, Peter is also changing the NB plug-in to
        URL-encode the URLs for admin commands using UTF-8. (The server already uses
        UTF-8 to decode the values of admin options sent via the http interface.
        Similarly, the asadmin command-line utility already uses UTF-8 to encode such
        values. The World-Wide Web Consortium recommends this practice using UTF-8.)

        Show
        Tim Quinn added a comment - (taking ownership) Peter is changing the NB plug-in to use & for separators in the query string. Once he has completed that I will check in changes I already have in my local workspace to stop treating ? as a separator. Separate but related to this, Peter is also changing the NB plug-in to URL-encode the URLs for admin commands using UTF-8. (The server already uses UTF-8 to decode the values of admin options sent via the http interface. Similarly, the asadmin command-line utility already uses UTF-8 to encode such values. The World-Wide Web Consortium recommends this practice using UTF-8.)
        Hide
        Tim Quinn added a comment -

        (marking as started - again)

        Show
        Tim Quinn added a comment - (marking as started - again)
        Hide
        kumara added a comment -

        v3 defect tracking

        Show
        kumara added a comment - v3 defect tracking
        Hide
        Tim Quinn added a comment -

        Peter has changed the NB plug-in to use & (not ?) for separators between query
        parameters in the URL. This check-in changes the server side to only look for &.

        Change checked in:

        /Users/Tim/asgroup/v3/jun-11/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java
        Committed revision 22317.

        Show
        Tim Quinn added a comment - Peter has changed the NB plug-in to use & (not ?) for separators between query parameters in the URL. This check-in changes the server side to only look for &. Change checked in: /Users/Tim/asgroup/v3/jun-11/v3/core/kernel/src/main/java/com/sun/enterprise/v3/admin/AdminAdapter.java Committed revision 22317.

          People

          • Assignee:
            Tim Quinn
            Reporter:
            peterwx
          • Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved: