(tomcat) branch 10.1.x updated: Relax file name check since input can include paths

Fri, 17 Oct 2025 09:46:24 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/10.1.x by this push:
     new fb881c3445 Relax file name check since input can include paths
fb881c3445 is described below

commit fb881c3445f1a7ef98f011c46efe61e9023f56c0
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Oct 9 14:44:03 2025 +0100

    Relax file name check since input can include paths
---
 .../apache/catalina/webresources/AbstractFileResourceSet.java  | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java 
b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index e26cc45b16..637c841b61 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -188,13 +188,15 @@ public abstract class AbstractFileResourceSet extends 
AbstractResourceSet {
              * Control characters (0x00-0x31) are not permitted and tend to be 
display strangely in log messages and
              * similar.
              *
-             * '*', '/', '?', '\\' and '|' are also not allowed and, while 
they are not currently known to cause other
+             * '*', '?' and '|' are also not allowed and, while they are not 
currently known to cause other
              * difficulties, they are checked here rather than wasting cycles 
trying to find an invalid file later.
              *
-             * Note: Characters listed in ASCII order.
+             * The file separators ('/' and '\\') are not allowed in file 
names but are not excluded here as paths are
+             * passed to this method.
+             *
+             * Note: Characters are listed in ASCII order.
              */
-            if (c < 32 || c == '\"' || c == '*' || c == '/' || c == ':' || c 
== '<' || c == '>' || c == '?' || c == '\\'
-                    || c == '|') {
+            if (c < 32 || c == '\"' || c == '*' || c == ':' || c == '<' || c 
== '>' || c == '?' || c == '|') {
                 return true;
             }
         }


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to