Author: markt
Date: Wed Sep 20 12:23:44 2017
New Revision: 1809011
URL: http://svn.apache.org/viewvc?rev=1809011&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
Partial fix for CVE-2017-12617
This moves a check from the Default servlet where it applied to GET, POST, HEAD
and OPTIONS to the resources implementation where it applies to any method that
expects the resource to exist (e.g.DELETE)
Still need to address the case where the resource does not exist (e.g. PUT)
Modified:
tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
Modified: tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1809011&r1=1809010&r2=1809011&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Wed Sep
20 12:23:44 2017
@@ -820,20 +820,6 @@ public class DefaultServlet extends Http
return;
}
- // If the resource is not a collection, and the resource path
- // ends with "/" or "\", return NOT FOUND
- if (resource.isFile() && (path.endsWith("/") || path.endsWith("\\"))) {
- // Check if we're included so we can return the appropriate
- // missing resource name in the error
- String requestUri = (String) request.getAttribute(
- RequestDispatcher.INCLUDE_REQUEST_URI);
- if (requestUri == null) {
- requestUri = request.getRequestURI();
- }
- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestUri);
- return;
- }
-
boolean included = false;
// Check if the conditions specified in the optional If headers are
// satisfied.
Modified:
tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809011&r1=1809010&r2=1809011&view=diff
==============================================================================
---
tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
(original)
+++
tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
Wed Sep 20 12:23:44 2017
@@ -57,6 +57,14 @@ public abstract class AbstractFileResour
name = "";
}
File file = new File(fileBase, name);
+
+ // If the requested names ends in '/', the Java File API will return a
+ // matching file if one exists. This isn't what we want as it is not
+ // consistent with the Servlet spec rules for request mapping.
+ if (file.isFile() && name.endsWith("/")) {
+ return null;
+ }
+
if (!mustExist || file.canRead()) {
if (getRoot().getAllowLinking()) {
Modified:
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809011&r1=1809010&r2=1809011&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
Wed Sep 20 12:23:44 2017
@@ -132,6 +132,13 @@ public abstract class AbstractTestResour
}
@Test
+ public final void testGetResourceFileWithTrailingSlash() {
+ WebResource webResource =
+ resourceRoot.getResource(getMount() + "/d1/d1-f1.txt/");
+ Assert.assertFalse(webResource.exists());
+ }
+
+ @Test
public final void testGetResourceCaseSensitive() {
WebResource webResource =
resourceRoot.getResource(getMount() + "/d1/d1-F1.txt");
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
