java – request. Is the servlet path returned by getservletpath () normalized?

Java

1)request. Getservletpath () can return any path, such as / testfolder // testfolder/file. Txt, or whether the path is normalized to / testfolder / file txt?

I asked because I wanted to know if this path could be easily used for access control For example, when ordinary users cannot access paths starting with / admin /, some relative paths (such as / images /.. / admin / secretinfo. Txt) can be used to avoid this control

Please note: the browser converts any path to an absolute normalized path before contacting the server, but it is assumed that other malicious clients sending relative paths can be used for attacks

2) In addition, should other security issues related to servlet path be considered when performing such simple string authentication access control?

Solution

The servlet specification is unclear There is an open issue for the servlet specification

The specification strongly recommends that it be normalized, but for security related applications, I will not rely on it and will run it through the normalization process to ensure security On this topic, I suggest not to do it yourself. I suggest you reuse topics like Tomcat's normalization code

The content of this article comes from the network collection of netizens. It is used as a learning reference. The copyright belongs to the original author.
THE END
分享
二维码
< <上一篇
下一篇>>