spring-projects
CommonsXsdSchemaCollection not able to resolve relative paths on tomcat 8 [SWS-1052]
codecracker2014 opened SWS-1052 and commented
CommonsXsdSchemaCollection uses ClasspathUriResolver to resolve paths and this also supports relative paths. For example we have a relative path ../../common/CommonSchema.xsd
As per below code relative path will be resolved:
Resource resource = resourceLoader.getResource(schemaLocation);
if (resource.exists()) {
return createInputSource(resource);
}
else if (StringUtils.hasLength(baseUri)) {
// let's try and find it relative to the baseUri, see SWS-413
try {
Resource baseUriResource = new UrlResource(baseUri);
resource = baseUriResource.createRelative(schemaLocation);
if (resource.exists()) {
return createInputSource(resource);
}
}
catch (IOException e) {
// fall through
}
}
Code seems to be fine but on tomcat 8 resource.exists() will throw IllegalArgumentException exception and relative path won't be resolved causing server start up fail as well.
tomcat ../../common/CommonSchema.xsd considers this as access outside of container which should be forbidden and throws IllegalArgumentException.
Refer below issue raised to tomcat where it is discussed why tomcat is throwing IllegalArgumentException instead of MalformedURLException: https://bz.apache.org/bugzilla/show_bug.cgi?id=63104
So ideally ClasspathUriResolver should the exception and try to resolve relative path.
Affects: 3.0.3
Attachments:
- spring-ws-tomcat-log.txt (2.21 kB)
Spring WS isn’t going to sidestep Tomcat.
As Mark said this could signal a security threat.
Newer versions of tools including Tomcat have stronger protections against security threats. This happens to be one of them.
My suggestion is to relocate the XSD to a more secure location.
@gregturn I think relative paths should be resolved within context.