This week's book giveaway is in the Agile and Other Processes forum.
We're giving away four copies of The Little Book of Impediments (e-book only) and have Tom Perry on-line!
See this thread for details.
Win a copy of The Little Book of Impediments (e-book only) this week in the Agile and Other Processes forum!
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic

getResource method

 
vasu maj
Ranch Hand
Posts: 396
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
I was reading manning's study kit and came across this observation made :

getResource method can be a security hole if used improperly. It has access to all the files including the files in WEB-INF directory.

I could not quite get the concept. I would appreciate some elaboration of the topic by people in the know...
Thanks,
vasu
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
The getResource() method can be used to access any resource path, including paths that are protected using security constraints or which aren't directly accessible such as /WEB-INF/*.
Any servlet or JSP that uses getResource() is a potential security hole. For example, say that I'm trying to be clever and write a servlet "cache" that implements a memory cache, so that by accessing /cache/mypicture.gif I get a cached version of /mypicture.gif. Unfortunately, that same servlet also gives access to /cache/WEB-INF/web.xml and perhaps to /cache/secret/sexfantasies.doc. Major oops
- Peter
 
vasu maj
Ranch Hand
Posts: 396
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
But then getResource method is used in the code. Regular users can't access files by just typing the address in the browser anyway. How then is it a security threat? I mean if I am developing an application I assume that all files in my web application are accessable to me. No?

Thanks,
Vasu
[ December 28, 2002: Message edited by: vasu maj ]
 
Peter den Haan
author
Ranch Hand
Posts: 3252
  • Mark post as helpful
  • send pies
  • Quote
  • Report post to moderator
A servlet such as I described above would give any user the ability to read files from locations that would normally be inaccessible.
- Peter
 
  • Post Reply
  • Bookmark Topic Watch Topic
  • New Topic