[PAX WEB] Does DefaultHttpContext allow access to all resources in the bundle?

[Daniel Stoch]

Hi,

In Wicket web framework if some request url has not a dedicated/registered handler in application then WicketServlet fallbacks processing to return a resource from ServletContext as a response content:

   

InputStream stream = getServletContext().getResourceAsStream(url);

  String mimeType = getServletContext().getMimeType(url);

I don't know if this is Wicket specific thing or a common use case in Java Servlets world? :)

The problem is, that by default PaxWeb (DefaultHttpContext) allows to return all resources available in bundle (because all calls are delegated to Bundle methods like: getResource, getEntryPaths).

In this way user can prepare a special url in a browser (eg. http://our_app_url/com/somepackage/SampleClass.class) and our application will return the content of any resource which is part of a bundle (for which DefaultHttpContext was created).

I try to find how to block this behaviour (block access to these internal files in bundle), maybe I forgot to configure something or I am doing something wrong?

PS. We are using PaxWeb 7.

--

Best regards,

Daniel

[Grzegorz Grzybek]

Hello

See the javadoc for javax.servlet.ServletContext.getResourceAsStream():

This method bypasses both implicit (no direct access to WEB-INF or META-INF) and explicit (defined by the web
application) security constraints. Care should be taken both when constructing the path (e.g. avoid unsanitized
user provided data) and when using the result not to create a security vulnerability in the application.

so you're right - you can get the class stream using SC.getResource().

In Pax Web you have 3 specifications (OSGi CMPN chapters):

 - 102 - HttpService

 - 128 - Web Applications

 - 140 - Whiteboard

CMPN 102 says that ServletContext.getResource() is "supported by org.osgi.service.http.HttpContext#getResource()" - see https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.html#org.osgi.service.http.HttpContext

Also "102.10.3.1 public HttpContext createDefaultHttpContext()" says explicitly:

getResource - Assumes the named resource is in the context bundle; this method calls the context bundle's Bundle.getResource method, and returns the appropriate URL to access the resource

CMPN 128 has chapter https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.war.html#i3096883 but it's about "default servlet" and which resources are accessible - there's nothing about javax.servlet.ServletContext.

https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.war.html#i3082990 ("128.6.3 Resource Lookup") says:

The getResource and getResourceAsStream methods of the ServletContext interface are used to access resources in the web application. For a WAB, these resources must be found according to the findEntries method, this method includes fragments. For the getResource and getResourceAsStream method, if multiple resources are found, then the first one must be used.

So Bundle.getResource() (classLoader-like access) in CMPN 102 vs. Bundle.FindEntries() (non-classLoader-like access) in CMPN 128.

CMPN 140 has special table https://docs.osgi.org/specification/osgi.cmpn/7.0.0/service.http.whiteboard.html#d0e119708 and it says:

getResource(String) – Backed by the ServletContextHelper

so org.osgi.service.http.context.ServletContextHelper#getResource() is used - this time (differently than in CMPN 102) there'a actual default implementation (instead of just JavaDoc):

public URL getResource(String name) {
  if ((name != null) && (bundle != null)) {
    if (name.startsWith("/")) {
      name = name.substring(1);
    }
    return bundle.getEntry(name);
  }
  return null;
}

So this time - Bundle.getEntry() (non-classLoader-like access).

I hope this helps and gives you right context (sic!).

regards

Grzegorz Grzybek

--
--
------------------
OPS4J - http://www.ops4j.org - op...@googlegroups.com

---
You received this message because you are subscribed to the Google Groups "OPS4J" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ops4j+un...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ops4j/ce196bee-0102-43db-a26f-d3ba374d7f89n%40googlegroups.com.