[thredds] thredds v3.16 and symbolic links to catalogues

Ethan Davis edavis at unidata.ucar.edu
Wed Jan 30 16:48:38 MST 2008 

Hi Knut,

There are a number of places in the TDS where symbolic links may break 
things. I hadn't realized this one before. The problem has to do with 
how we make sure malicious (or accidental) URLs with "../" path segments 
don't get out of the TDS configuration file area (content/thredds). 
Basically, we call java.io.File.getCanonical{File|Path}() and make sure 
the result is under content/thredds. Unfortunately, besides dealing with 
"../" path segments, getCanonicalX() also resolves symbolic links.

Redoing the tracking and validation of the config content is on our list 
of things to do (and would probably include dealing with symbolic links 
or making it optional). Unfortunately, it is not currently at (or even 
very near) the top of the list.

Ethan

Knut Arild Lisæter wrote:
> Hi John,
>
> Our "main" catalogue is placed under content/thredds, in that file I 
> have placed a number of links (catalogref) to catalogues which lie in 
> content/thredds/catalogs - we did it this way to keep things "tidy" and 
> it has worked well in version 3.14.
>
> Some of the catalogues  under content/thredds/catalogs are symbolic 
> links, and it is for those I get the error messages I mentioned when I 
> switch to version 3.16. Just to test I tried to copy one of the linked 
> files into content/thredds/catalogs and then  works with 3.16 - so 3.16 
> seems to be picky about symbolic links
>
> The solution is obvious, avoid links and copy everything into 
> content/thredds/catalogs, but for various reason we would like to keep 
> the current setup if possible. If you would like to have a closer look 
> on our setup, go to:
> http://topaz.nersc.no/thredds/catalog.html
>
> Hope this made it  a bit clearer :-)
>
> Best Regards,
> Knut
>
> John Caron wrote:
>   
>> Hi Knut:
>>
>> Currently you need to keep TDS config catalogs under content/thredds.
>>
>> I assume these are "config catalogs", not just other catalogs you want to reference from a catref?
>>
>> By "symbolic link" do you mean you tried to link another directory under content/thredds ?? If so,
>> im surprissed it wont follow a symbolic link correclty....
>>
>> Knut Arild Lisæter wrote:
>>   
>>     
>>> Hi,
>>>
>>> I tried to update to thredds version 3.16 today, but it seems that  
>>> symbolic links to catalogues are not allowed in this version? In logs/ 
>>> catalogErrors.log I get many errors of this type
>>>
>>> initCatalog(): Path <catalogs/mersea-ip-class2-arctic.xml> points  
>>> outside of content path </home/apache-tomcat-5.5.25/content/thredds/>  
>>> (skip).
>>>
>>> Is there a quick and easy way to allow symbolic links pointing outside  
>>> of the "content path" ?
>>>
>>>
>>> Best Regards,
>>> Knut Lisæter
>>> _______________________________________________
>>> thredds mailing list
>>> thredds at unidata.ucar.edu
>>> For list information or to unsubscribe,  visit: http://www.unidata.ucar.edu/mailing_lists/ 
>>>     
>>>       
>>   
>>     
>
> _______________________________________________
> thredds mailing list
> thredds at unidata.ucar.edu
> For list information or to unsubscribe,  visit: http://www.unidata.ucar.edu/mailing_lists/ 
>   

-- 
Ethan R. Davis                                Telephone: (303) 497-8155
Software Engineer                             Fax:       (303) 497-8690
UCAR Unidata Program Center                   E-mail:    edavis at ucar.edu
P.O. Box 3000
Boulder, CO  80307-3000                       http://www.unidata.ucar.edu/
---------------------------------------------------------------------------

More information about the thredds mailing list