Community
Participate
Working Groups
Mojarra uses an implicit check at ResourceHandlerImpl#isExcluded to prevent application from returning unwanted resources which by default are '.class .jsp .jspx .properties .xhtml .groovy' files. The check is performed via regex and the pattern is constructed with Pattern.compile(".*\\" + [each of RESOURCE_EXCLUDES values]). This regex is prone to bypass. Java Docs specify regex character dot . 'matches any character except a line terminator' [1], so the check stops at at the point it reachs any character among \n \r \u0085 \u2028 \u2029 in the resource name. Later when reading in the resource name, it conveniently skips a character (which is supposed to be the forward-slash), making this the perfect place for the line terminator as it does not change the meaning of the resource name. - if (RESOURCE_IDENTIFIER.length() < resourceId.length()) { resourceName = resourceId.substring(RESOURCE_IDENTIFIER.length() + 1); assert(resourceName != null); - Simple fix for this would be to specify the regex DOTALL parameter. From how I see, the regex could even be replaced by simple String#endsWith to also improve performance. The vulnerable code has been in existence ever since ResourceHandler was introduced following JSF2 implementation. This is a security feature bypass by itself, but what makes it more special is that it could be combined with any of the Path traversals in the past to escalate their severity. In any case, these could lead to disclosing of arbitrary files under web root, and in some edge cases depending on the underlying container, even files outside of web contexts. -- [1]https://docs.oracle.com/javase/8/docs/api/java/util/regex/Pattern.html#lt
Arjan, I don't think we're on the same page about the severity of the issue. Can you confirm you have looked at this and whether or not a fix is being worked on?
I believe this and #550943 need some more attention and that general users should be aware of the risks involved. I'm planning on doing a blog post on them soon.
Housekeeping. We've exceeded the three month disclosure deadline, so I've removed the confidential flag.