DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT <http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4923>. ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND INSERTED IN THE BUG DATABASE.
http://nagoya.apache.org/bugzilla/show_bug.cgi?id=4923 getRealPath().exists() yields security exception Summary: getRealPath().exists() yields security exception Product: Tomcat 3 Version: 3.3 Final Platform: All OS/Version: Other Status: NEW Severity: Minor Priority: Other Component: Unknown AssignedTo: [EMAIL PROTECTED] ReportedBy: [EMAIL PROTECTED] When we run Tomcat any version (i have tried tomcat 3.2.3, 3.3, 4.0.1) with security turned on the following code yeilds exceptions: <%=new File(pageContext.getServletContext().getRealPath("/")).exists()%> <% java.io.File tempDir= (java.io.File)pageContext.getServletContext( ).getAttribute("javax.servlet.context.tempdir"); %> <%=tempDir.exists()%> I beleive this happens because when you grant permissions of the form grant { permission java.io.FilePermission "../m/-", "read"; }; this does not allow you to check if new File("../m").exists() or do new File("../m").list() to do that you need to explicitly do grant { permission java.io.FilePermission "../m/-", "read"; permission java.io.FilePermission "../m", "read"; }; The whole issue causes security exceptions when you deploy Cocoon2 samples, Velocity samples. They both have code like File log = new File(..getRealPath(logFile)); File parent = new File( log.getParent() ); if (!parent.exists()) parent.mkdirs(); no surprise this failes. I beleive that it would be quite reasonable to allow checking exists() and doing list() on ..getRealPath("/"); and the temporary working dir. This bug (or not bug?) has been reported as #4922 for Tomcat 4.0.1 final -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
