0

I wanted to display the images inside servlets,
there were many complex methods like

Then finally I found this very easy.
I used Image Servlet from this tutorial

changed the web.xml

<servlet>
 <servlet-name>Image</servlet-name>
 <servlet-class>com.jsos.image.ImageServlet</servlet-class>
 <init-param>
  <param-name>dir</param-name>
  <param-value>C:/Users/myName/Desktop/myName/workspace_j2ee/myServlet/WebContent/images</param-value>
 </init-param>
 <init-param>
  <param-name>expires</param-name>
  <param-value>86400</param-value>
 </init-param>
</servlet>

I can successfully display image using 

/Myservlet/Image?fileName.png

but the problem is this is actually security hole, as I tried 

/Myservlet/Image?../../src/maJavafiles.java

And to my surprise the java files were downloaded. So how can I restrict the user to put this kind of url i mean going on level up in the directory structure

Community
  • 1
  • 1
Harry
  • 1,572
  • 2
  • 17
  • 31
  • To solve this issue write your own code. – Scary Wombat Jul 15 '14 at 05:43
  • @ScaryWombat I dont know what you are talking about, FYI I am a student, I have been taught this way, may be telling something that I should do will help me, instead of just.... – Harry Jul 15 '14 at 05:46
  • Without having access to the code in the jar that you posted a link to, there is no way to know what is wrong. The solution that it solves is trivial and could be easily written by oneself. – Scary Wombat Jul 15 '14 at 05:49

1 Answers1

1

To be able to make such changes you need to have access on the Servlets source code. Since you cant change the code you should develop from scratch such functionality with this security issue in mind...

You can use something like @BalusC servlet for image viewing

MaVRoSCy
  • 17,747
  • 15
  • 82
  • 125
  • I agree with your message, but maybe this should be a comment – Scary Wombat Jul 15 '14 at 05:50
  • thanks for the link, I appreciate that instead of criticizing, you actually helped me. – Harry Jul 15 '14 at 05:52
  • @HarendraSingh I do not think you have been criticized. – Scary Wombat Jul 15 '14 at 05:57
  • @ScaryWombat instead of "why on earth are you .... " you could have said "... is not a good coding practice, rather you should ... or refer this link", remember Stackoverflow is not for industry genius, many of the users are beginners here. – Harry Jul 15 '14 at 06:02
  • you are saying that it is a `security hole` because it can read your java files (which should not be on the web server) - I guess it is you that is doing the criticizing – Scary Wombat Jul 15 '14 at 06:06