RE: Download Server - directory access denied

2002-08-20 Thread Matthew Hailstone 

Per,
  I actually made sure the file (filename.jpg) was at each location. If
it was allowed access, and the file was not there, I would have seen the
html page that is generated from part of my pipeline. I've tried
requesting the file when it wasn't there, and I was allowed access, and
I saw my custom file not found page. So, my next guess would be that is
the way Cocoon must be handling security access (just returning the not
found page). Thanks again for pointing that out.

Matthew

> > It seems that absolute URLs are not a problem. The 
> following examples 
> > give me an error page:
> >
> > URI:
> >
> > /../filename.jpg
> > /download/../../filename.jpg
> > /images/../../filename.jpg
> >
> > error page:
> >
> > HTTP Status 404 - /filename.jpg
> >
> > 
> --
> > --
> > 
> >
> > type Status report
> >
> > message /filename.jpg
> >
> > description The requested resource (/filename.jpg) is not available.
> >
> >
> > 
> --
> > --
> > 
> >
> > Apache Tomcat/4.1.3
> >
> >
> > Working URI:
> >
> > /download/../filename.jpg
> 
> Doesn't that simply mean that /filename.jpg isn't there? What 
> if it was in your root directory, outside of your webapp's 
> space? Would it return?
> 
> What if you try /etc/passwd?
> 
> Or on Windows NT/2000, something in /winnt?
> 
> Per

-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Per Kreipke 

> It seems that absolute URLs are not a problem. The following examples
> give
> me an error page:
>
> URI:
>
> /../filename.jpg
> /download/../../filename.jpg
> /images/../../filename.jpg
>
> error page:
>
> HTTP Status 404 - /filename.jpg
>
> 
> 
>
> type Status report
>
> message /filename.jpg
>
> description The requested resource (/filename.jpg) is not available.
>
>
> 
> 
>
> Apache Tomcat/4.1.3
>
>
> Working URI:
>
> /download/../filename.jpg

Doesn't that simply mean that /filename.jpg isn't there? What if it was in
your root directory, outside of your webapp's space? Would it return?

What if you try /etc/passwd?

Or on Windows NT/2000, something in /winnt?

Per


-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Matthew Hailstone 

> It might be a concern to others, but doing it in the resolver 
> would probably break just about everything in C2: the 
> resolver is used by the sitemap to get relative URLs for 
> every pipeline, matcher etc. And viewing the source using the 
> samples might use relative paths.
> 
> I suggest that you subclass the default reader (which is what 
> you're using I
> believe) and remove all string occurrences of '../' or '/..' 
> or somesuch before resolving. Then let the rest of the 
> reader's code execute, thereby returning 'invalid resource' 
> errors when appropriate.
> 
> Note: You might want to remove the 'download' prefix on the 
>  in your sitemap and see if all of a sudden 
> absolute URLs work too. Ouch if they do.

It seems that absolute URLs are not a problem. The following examples
give
me an error page:

URI:

/../filename.jpg
/download/../../filename.jpg
/images/../../filename.jpg

error page:

HTTP Status 404 - /filename.jpg




type Status report

message /filename.jpg

description The requested resource (/filename.jpg) is not available.





Apache Tomcat/4.1.3


Working URI:

/download/../filename.jpg

Matthew

> 
> Per

-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Per Kreipke 

> Wow! Great comment. I changed the URI to:
>
>   /download?file=../../../conf/web.xml
>
> and actually accessed the file. Is this a concern to anyone else?
>
> Thanks Per.

Sure.

It might be a concern to others, but doing it in the resolver would probably
break just about everything in C2: the resolver is used by the sitemap to
get relative URLs for every pipeline, matcher etc. And viewing the source
using the samples might use relative paths.

I suggest that you subclass the default reader (which is what you're using I
believe) and remove all string occurrences of '../' or '/..' or somesuch
before resolving. Then let the rest of the reader's code execute, thereby
returning 'invalid resource' errors when appropriate.

Note: You might want to remove the 'download' prefix on the  in
your sitemap and see if all of a sudden absolute URLs work too. Ouch if they
do.

Per


-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

Re: Download Server - directory access denied

2002-08-20 Thread Vadim Gritsenko 

Matthew Hailstone wrote:

>I see. So the  element, notwithstanding it is inside the
> element, is actually still inside the
> element's scope.
>

Yes, this is correct.


> From your comment, I suppose I
>should have known this because it follows the XSLT specification.
>

No, this has no relation to XSLT spec.
Just this seems to be somewhat similar to behavior of xsl:attribute tag 
in XSLT: attribute gets attached to the parent tag (may be this seems 
only to me?)

Vadim


>Thanks again! That is very helpful to know.
>
>Matthew
>
>  
>
>>> 
>>> 
>>> 
>>>
>>>  
>>>
>>1> Entered match scope
>>
>>
>>
>>> 
>>> 
>>>
>>>  
>>>
>>2> Entered act "request" scope
>>
>>
>>
>>> 
>>>---  section of change  
>>>  
>>>
>>---
>>
>>
>>> 
>>>
>>>  
>>>
>>3> Entered act "resource-exists" scope
>>
>>
>>
>>> 
>>>---  section of change  
>>>  
>>>
>>---
>>
>>
>>3> About to exit act "resource-exists" scope
>>
>>
>>
>>> 
>>>
>>>  
>>>
>>2> Again at act "request" scope
>>
>>
>>
>>> 
>>> 
>>> 
>>>
>>>  
>>>
>>2> About to exit act "request" scope
>>
>>
>>
>>> 
>>>
>>>  
>>>
>>1> About to exit match scope
>>
>>
>>
>>> 
>>> 
>>>
>>>  
>>>
>>See at scopes of variables. Parameters are not separate entities but 
>>belong to the parent tag (same as in XSLT).
>>
>>Vadim
>>
>>




-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Matthew Hailstone 

Wow! Great comment. I changed the URI to:

  /download?file=../../../conf/web.xml

and actually accessed the file. Is this a concern to anyone else?

Thanks Per.

Matthew

> Note: not sure if this will happen, but passing the file name 
> as a request, you may want to make sure that it doesn't 
> contain a sequence of '../' such that the user is walking up 
> your tree to get at some other resource outside 'download'. 
> I'm not sure if the resolver prevents this automatically or not.
> 
> Per
> 

-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Per Kreipke 

Note: not sure if this will happen, but passing the file name as a request,
you may want to make sure that it doesn't contain a sequence of '../' such
that the user is walking up your tree to get at some other resource outside
'download'. I'm not sure if the resolver prevents this automatically or not.

Per

> -Original Message-
> From: Matthew Hailstone [mailto:[EMAIL PROTECTED]]
> Sent: Tuesday, August 20, 2002 11:21 AM
> To: [EMAIL PROTECTED]
> Subject: RE: Download Server - directory access denied
>
>
> I see. So the  element, notwithstanding it is inside the
>  element, is actually still inside the
>  element's scope. From your comment, I suppose I
> should have known this because it follows the XSLT specification.
>
> Thanks again! That is very helpful to know.
>
> Matthew
>
> > >
> > >  
> > >  
> > >  
> > >
> >
> > 1> Entered match scope
> >
> > >  
> > >  
> > >
> >
> > 2> Entered act "request" scope
> >
> > >  
> > >---  section of change
> > ---
> > >  
> > >
> >
> > 3> Entered act "resource-exists" scope
> >
> > >  
> > >---  section of change
> > ---
> > >
> >
> > 3> About to exit act "resource-exists" scope
> >
> > >  
> > >
> >
> > 2> Again at act "request" scope
> >
> > >  
> > >  
> > >  
> > >
> >
> > 2> About to exit act "request" scope
> >
> > >  
> > >
> >
> > 1> About to exit match scope
> >
> > >  
> > >  
> > >
> > See at scopes of variables. Parameters are not separate entities but
> > belong to the parent tag (same as in XSLT).
> >
> > Vadim
> >
> >
>
> -
> Please check that your question  has not already been answered in the
> FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html>
>
> To unsubscribe, e-mail: <[EMAIL PROTECTED]>
> For additional commands, e-mail:   <[EMAIL PROTECTED]>
>
>


-
Please check that your question  has not already been answered in the
FAQ before posting. <http://xml.apache.org/cocoon/faq/index.html>

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Matthew Hailstone 

I see. So the  element, notwithstanding it is inside the
 element, is actually still inside the
 element's scope. From your comment, I suppose I
should have known this because it follows the XSLT specification.

Thanks again! That is very helpful to know.

Matthew

> >
> >  
> >  
> >  
> >
> 
> 1> Entered match scope
> 
> >  
> >  
> >
> 
> 2> Entered act "request" scope
> 
> >  
> >---  section of change  
> ---
> >  
> >
> 
> 3> Entered act "resource-exists" scope
> 
> >  
> >---  section of change  
> ---
> >
> 
> 3> About to exit act "resource-exists" scope
> 
> >  
> >
> 
> 2> Again at act "request" scope
> 
> >  
> >  
> >  
> >
> 
> 2> About to exit act "request" scope
> 
> >  
> >
> 
> 1> About to exit match scope
> 
> >  
> >  
> >
> See at scopes of variables. Parameters are not separate entities but 
> belong to the parent tag (same as in XSLT).
> 
> Vadim
> 
> 

-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

Re: Download Server - directory access denied

2002-08-20 Thread Vadim Gritsenko 

Matthew Hailstone wrote:

>Vadim,
>  Thanks for relating my problem to the FAQ. Now I understand. :) That
>was the problem.
>
>Interesting to note, though, here is the change that fixed the problem:
>
>  
>  
>  
>

1> Entered match scope

>  
>  
>

2> Entered act "request" scope

>  
>---  section of change  ---
>  
>

3> Entered act "resource-exists" scope

>  
>---  section of change  ---
>

3> About to exit act "resource-exists" scope

>  
>

2> Again at act "request" scope

>  
>  
>  
>

2> About to exit act "request" scope

>  
>

1> About to exit match scope

>  
>  
>
>Notice that I changed the path to the variable in the map:read but not
>the map:parameter. When I changed the map:parameter use of the {file}
>variable, I got the html page generated by the filenotfound xml and xsl
>portions of the pipeline. Why is this so?
>

See at scopes of variables. Parameters are not separate entities but 
belong to the parent tag (same as in XSLT).

Vadim


>Thanks,
>
>Matthew
>
>P.S. Tammo, thanks for pointing me to the logs. It helped me understand
>what was going on a little better. :)
>
>  
>
>>pipeline:
>>
>> 
>> 
>> 
>> 
>> 
>> 
>>   ar>
>>
>vrl" D"alue:ddownlo}"/{file  />
>  
>
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>> 
>>
>>


-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

RE: Download Server - directory access denied

2002-08-20 Thread Matthew Hailstone 

Vadim,
  Thanks for relating my problem to the FAQ. Now I understand. :) That
was the problem.

Interesting to note, though, here is the change that fixed the problem:

  
  
  
  
  
  
---  section of change  ---
  
  
---  section of change  ---
  
  
  
  
  
  
  

Notice that I changed the path to the variable in the map:read but not
the map:parameter. When I changed the map:parameter use of the {file}
variable, I got the html page generated by the filenotfound xml and xsl
portions of the pipeline. Why is this so?

Thanks,

Matthew

P.S. Tammo, thanks for pointing me to the logs. It helped me understand
what was going on a little better. :)

>pipeline:
>
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>  
>

-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

Re: Download Server - directory access denied

2002-08-19 Thread Vadim Gritsenko 

Matthew Hailstone wrote:

>I am trying to create a download server. ;) Here is the pipeline
>fragment and the error page:
>
>Environment:
>
>Win2K
>Tomcat 4.1.3
>Cocoon 2.0.3
>jdk 1.3.1_03
>
>pipeline:
>
>  
>  
>  
>  
>  
>  
>  
>  
>

Perfect fit for:

http://xml.apache.org/cocoon/faq/faq-sitemap.html#faq-7

Vadim


>  
>  
>  
>  
>  
>  
>  
>

...


-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

AW: Download Server - directory access denied

2002-08-19 Thread Tammo van Lessen 

Hi Matthew!

| Von: Matthew Hailstone [mailto:[EMAIL PROTECTED]]
[...]
| pipeline:
|
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|   
|
|
| error page:
|
| type fatal
| message Failed to execute pipeline.
| description org.apache.cocoon.ProcessingException: Failed to execute
| pipeline.: java.io.FileNotFoundException: D:\apps\Tomcat
| 4.1\webapps\cocoon203\download (Access is denied)

It looks like your {file}-parameter is empty. \cocoon203\download is a
directory, not a file right? perhaps take a look into the log files and
check if the parameter gets set by the request action.

cya
  Tammo


-
Please check that your question  has not already been answered in the
FAQ before posting. 

To unsubscribe, e-mail: <[EMAIL PROTECTED]>
For additional commands, e-mail:   <[EMAIL PROTECTED]>

Download Server - directory access denied

2002-08-19 Thread Matthew Hailstone 

I am trying to create a download server. ;) Here is the pipeline
fragment and the error page:

Environment:

Win2K
Tomcat 4.1.3
Cocoon 2.0.3
jdk 1.3.1_03

pipeline:

  
  
  
  
  
  
  
  
  
  
  
  
  
  
  


error page:

type fatal
message Failed to execute pipeline.
description org.apache.cocoon.ProcessingException: Failed to execute
pipeline.: java.io.FileNotFoundException: D:\apps\Tomcat
4.1\webapps\cocoon203\download (Access is denied)
sender org.apache.cocoon.servlet.CocoonServlet
source Cocoon servlet
stack-trace
org.apache.cocoon.ProcessingException: Failed to execute pipeline.:
java.io.FileNotFoundException: D:\apps\Tomcat
4.1\webapps\cocoon203\download (Access is denied)
at
org.apache.cocoon.components.pipeline.CachingStreamPipeline.processReade
r(CachingStreamPipeline.java:278)
at
org.apache.cocoon.components.pipeline.AbstractStreamPipeline.process(Abs
tractStreamPipeline.java:168)
at
org.apache.cocoon.components.pipeline.CachingStreamPipeline.process(Cach
ingStreamPipeline.java:293)
at org.apache.cocoon.www.sitemap_xmap.matchN103CA(D:\apps\Tomcat
4.1\work\Standalone\localhost\cocoon203\cocoon-files\org/apache/cocoon/w
ww\sitemap_xmap.java:4766)
at org.apache.cocoon.www.sitemap_xmap.process(D:\apps\Tomcat
4.1\work\Standalone\localhost\cocoon203\cocoon-files\org/apache/cocoon/w
ww\sitemap_xmap.java:3350)
at org.apache.cocoon.www.sitemap_xmap.process(D:\apps\Tomcat
4.1\work\Standalone\localhost\cocoon203\cocoon-files\org/apache/cocoon/w
ww\sitemap_xmap.java:3160)
at org.apache.cocoon.sitemap.Handler.process(Handler.java:224)
at org.apache.cocoon.sitemap.Manager.invoke(Manager.java:179)
at
org.apache.cocoon.sitemap.SitemapManager.process(SitemapManager.java:154
)
at org.apache.cocoon.Cocoon.process(Cocoon.java:575)
at
org.apache.cocoon.servlet.CocoonServlet.service(CocoonServlet.java:999)
at javax.servlet.http.HttpServlet.service(HttpServlet.java:853)
at
org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(Applica
tionFilterChain.java:247)
at
org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilt
erChain.java:193)
at
org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValv
e.java:260)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:646)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
83)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContextValve.invoke(StandardContextValv
e.java:191)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:646)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
83)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardContext.invoke(StandardContext.java:234
9)
at
org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java
:180)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:646)
at
org.apache.catalina.valves.ErrorDispatcherValve.invoke(ErrorDispatcherVa
lve.java:170)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:644)
at
org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java
:171)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:644)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
83)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.
java:174)
at
org.apache.catalina.core.StandardPipeline$StandardPipelineValveContext.i
nvokeNext(StandardPipeline.java:646)
at
org.apache.catalina.core.StandardPipeline.invoke(StandardPipeline.java:4
83)
at
org.apache.catalina.core.ContainerBase.invoke(ContainerBase.java:995)
at
org.apache.coyote.tomcat4.CoyoteAdapter.service(CoyoteAdapter.java:223)
at
org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:40
5)
at
org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.processC
onnection(Http11Protocol.java:376)
at
org.apache.tomcat.util.net.TcpWorkerThread.runIt(PoolTcpEndpoint.java:50
8)
at
org.apache.tomcat.util.threads.ThreadPool$ControlRunnable.run(ThreadPool
.java:518)
at java.lang.Thread.run(Thread.java:479)
java.io.FileNotFoundException: D:\apps\Tomcat
4.1\webapps\cocoon203\download (Access is denie