Loading...

XML

Word

Printable

Details

Type: Bug
Resolution: Fixed
Priority: Blocker
Fix Version/s: 18.3.0-rc-1, 17.10.6, 18.2.1
Affects Version/s: 18.2.0, 17.10.5
Component/s: Environment
Labels:
- regression

Tests:

Unit
Difficulty:
Unknown
Documentation:
https://extensions.xwiki.org/xwiki/bin/view/Extension/Environment%20Module#HPathtraversalprotectionsinServletEnvironment
Documentation in Release Notes:
N/A
Similar issues:

Description

After upgrading XWiki 17.10.4 to 17.10.5, XWiki is not able to start up. Using tomcat10 or tomcat11 (with the corresponding xwiki packages) produces the same result.

The following lines from catalina.out (see attachment) seem especially relevant:

[2026-04-02 13:45:00] [info] 2026-04-02 13:45:00,488 [main] WARN  o.x.e.i.ServletEnvironment     - The path [/WEB-INF/cache/infinispan/config.xml] is trying to access a resource outside of the resource root.
[2026-04-02 13:45:04] [info] 2026-04-02 13:45:04,501 [main] WARN  o.x.e.i.ServletEnvironment     - The path [/WEB-INF/hibernate.cfg.xml] is trying to access a resource outside of the resource root.
[2026-04-02 13:45:04] [info] 2026-04-02 13:45:04,502 [main] ERROR c.x.x.i.s.h.HibernateStore     - Failed to find hibernate configuration file corresponding to path [/WEB-INF/hibernate.cfg.xml]

Attachments

- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

catalina.out
7 kB
02/Apr/26 14:13

Issue Links

is caused by

XCOMMONS-3594 Make a lot easier to protect against resource path traversal

Closed

Activity

People

Assignee:: Thomas Mortagne

Reporter:: Jörg Mechnich

Votes:: 1 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 4 days ago 14:15

Updated:: 3 days ago 16:51

Resolved:: 4 days ago 19:20

Date of First Response:: 02/Apr/26 2:27 PM