Announcement Announcement Module
No announcement yet.
UrlFilenameViewController secure? Page Title Module
Move Remove Collapse
Conversation Detail Module
  • Filter
  • Time
  • Show
Clear All
new posts

  • UrlFilenameViewController secure?


    I just have to fill some security form to document our last project.

    We are using the Spring-Framework 2.5.6 org.springframework.web.servlet.mvc.UrlFilenameVie wController in the standard way to map an URL like "/products.html" to "/WEB-INF/jsp/products.jsp".

    My question is now: would it be somehow possible to modify the "products" part of the URL in such a way that it is a potential security risk? Could I use this e.g. to access any other JSP/files in the application not under WEB-INF/jsp, or even outside our webapp or the servlet container?

    I couldn't find any information on this, couldn't find anything in the Spring code or in general articles about Java security. Does the Java Security Manager prevent abuse here by default?

    The security form wants to prevent me from doing something stupid like <?php include($_REQUEST['filename']); ?>, but hey, this is maybe not too far from it...

    Any ideas?

    Thanks and best regards,
    Last edited by joe_leads; Mar 18th, 2010, 01:53 AM.

  • #2
    The UrlFilenameViewController is as safe as you configure it. If your fear, that the underlying software stack might have security issues, you can always create your own subclass and overwrite extractViewNameFromUrlPath to make sure only allowed characters are used. That prevents things like "../../really_secret.file".
    If that's not enough you can replace the UrlFilenameViewController with ParameterizableViewControllers for every resource you want to show. That might be tedious, but is probably as safe as it gets.