I am working on some security alerts on one of our servers whereby a 'file download' JSP file is able to let a user download contents of WEB-INF for the web application (Which is located in the root folder of the site). It is a very crudely simple file, written in 2007, that uses java.io.FileInputStream on unsanitised input to return a file to the user.
The alert actually claimed that this was a directory traversal problem, which it is in one way as the following URI would download the web.xml for the user:
http://domain.com/filedownload.jsp?filename=../../WEB-INF/web.xml&filepath=some/directory/
Now obviously the 'directory traversal' part should be corrected by doing user input sanitising (Which this script does not yet do). However, the following URI also delivers the web.xml to the user, but input sanitisation for directory traversal would not help here, unless the sanitisation checks for 'WEB-INF' and other 'illegal' directories...
http://domain.com/filedownload.jsp?filename=web.xml&filepath=WEB-INF/
Is there a standardised way to prevent this in common servlet containers or does this need to be entirely managed by the developer of the code? I noticed that the Java 'normalize()' function would not strip out this directory from the user input.
I tried searching for an answer for this, but all I could find was information about preventing the 'serving' of WEB-INF directly, but nothing about preventing it from being accessed from a JSP file itself.
Thanks,
Tom...