On 20/09/17 14:04, Mark Thomas wrote: > On 20/09/17 13:52, ma...@apache.org wrote: >> Author: markt >> Date: Wed Sep 20 12:52:47 2017 >> New Revision: 1809025 >> >> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev >> Log: >> Partial fix for CVE-2017-12617 >> This ensures that a path specified for creation of a file does not end in >> '/' since that is dropped by the File API. > > I think the fix for 9.0.x is complete but I want to do some more testing > around the edge cases to make sure. Additional testing welcome. > > Once we are satisfied the fix is complete, I'll start back-porting.
I've done some testing to see how Windows behaves with all possible characters at the end of a file name. The behaviour falls into 1 of four options: a) getCanonicalPath() throws an IOException b) getCanonicalPath() != getAbsolutePath() c) getCanonicalPath() == getAbsolutePath() and the file name is unaltered from that provided. d) getCanonicalPath() == getAbsolutePath() but the file name is unaltered from that provided. The only characters that trigger d) are '/' and '\'. Before today, cases a), b) and c) were handled correctly. On Windows '\' is always converted to '/' so only '/' needs to be handled. The patches I made today handle '/' so I believe that the fix is complete. An extra pair of eyes or two on the proposed patch and the thinking above would be appreciated. At this point, I'm thinking back-port tomorrow morning and then tag and release. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
