2017-09-20 15:23 GMT+03:00 <ma...@apache.org>:
> Author: markt
> Date: Wed Sep 20 12:23:44 2017
> New Revision: 1809011
>
> URL: http://svn.apache.org/viewvc?rev=1809011&view=rev
> Log:
> Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542
> Partial fix for CVE-2017-12617
> This moves a check from the Default servlet where it applied to GET, POST,
> HEAD and OPTIONS to the resources implementation where it applies to any
> method that expects the resource to exist (e.g.DELETE)
> Still need to address the case where the resource does not exist (e.g. PUT)
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
>
> tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
>
> tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java?rev=1809011&r1=1809010&r2=1809011&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java
> (original)
> +++ tomcat/trunk/java/org/apache/catalina/servlets/DefaultServlet.java Wed
> Sep 20 12:23:44 2017
> @@ -820,20 +820,6 @@ public class DefaultServlet extends Http
> return;
> }
>
> - // If the resource is not a collection, and the resource path
> - // ends with "/" or "\", return NOT FOUND
> - if (resource.isFile() && (path.endsWith("/") ||
> path.endsWith("\\"))) {
> - // Check if we're included so we can return the appropriate
> - // missing resource name in the error
> - String requestUri = (String) request.getAttribute(
> - RequestDispatcher.INCLUDE_REQUEST_URI);
> - if (requestUri == null) {
> - requestUri = request.getRequestURI();
> - }
> - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestUri);
> - return;
> - }
> -
> boolean included = false;
> // Check if the conditions specified in the optional If headers are
> // satisfied.
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> URL:
> http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809011&r1=1809010&r2=1809011&view=diff
> ==============================================================================
> ---
> tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> (original)
> +++
> tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> Wed Sep 20 12:23:44 2017
> @@ -57,6 +57,14 @@ public abstract class AbstractFileResour
> name = "";
> }
> File file = new File(fileBase, name);
> +
> + // If the requested names ends in '/', the Java File API will return
> a
> + // matching file if one exists. This isn't what we want as it is not
> + // consistent with the Servlet spec rules for request mapping.
> + if (file.isFile() && name.endsWith("/")) {
I think this has to be
if (name.endsWith("/") && !file.isDirectory())
Two concerns:
1) performance: do in-memory checks first and I/O performing ones later
2) "isFile()" tests whether "this is a normal file". The definition of
"normal file" is OS-dependent.
> + return null;
> + }
> +
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
