This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new cecc003a5d Reject requests that map to invalid Windows file names
earlier.
cecc003a5d is described below
commit cecc003a5dffd9c6383ae88e607c46fd2ab46c59
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Oct 9 11:08:49 2025 +0100
Reject requests that map to invalid Windows file names earlier.
---
.../webresources/AbstractFileResourceSet.java | 36 +++++++++++++---------
webapps/docs/changelog.xml | 3 ++
2 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index 6b83b0e46e..e26cc45b16 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -97,7 +97,7 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
}
// Additional Windows specific checks to handle known problems with
- // File.getCanonicalPath()
+ // File.getCanonicalPath() and other issues
if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
return null;
}
@@ -172,29 +172,37 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
}
}
+
private boolean isInvalidWindowsFilename(String name) {
final int len = name.length();
if (len == 0) {
return false;
}
- // This consistently ~10 times faster than the equivalent regular
- // expression irrespective of input length.
+ // This is consistently ~10 times faster than the equivalent regular
expression irrespective of input length.
for (int i = 0; i < len; i++) {
char c = name.charAt(i);
- if (c == '\"' || c == '<' || c == '>' || c == ':') {
- // These characters are disallowed in Windows file names and
- // there are known problems for file names with these
characters
- // when using File#getCanonicalPath().
- // Note: There are additional characters that are disallowed in
- // Windows file names but these are not known to cause
- // problems when using File#getCanonicalPath().
+ /*
+ * '\"', ':', '<' and '>' are disallowed in Windows file names and
there are known problems with these
+ * characters when using File#getCanonicalPath().
+ *
+ * Control characters (0x00-0x31) are not permitted and tend to be
display strangely in log messages and
+ * similar.
+ *
+ * '*', '/', '?', '\\' and '|' are also not allowed and, while
they are not currently known to cause other
+ * difficulties, they are checked here rather than wasting cycles
trying to find an invalid file later.
+ *
+ * Note: Characters listed in ASCII order.
+ */
+ if (c < 32 || c == '\"' || c == '*' || c == '/' || c == ':' || c
== '<' || c == '>' || c == '?' || c == '\\'
+ || c == '|') {
return true;
}
}
- // Windows does not allow file names to end in ' ' unless specific low
- // level APIs are used to create the files that bypass various checks.
- // File names that end in ' ' are known to cause problems when using
- // File#getCanonicalPath().
+ /*
+ * Windows does not allow file names to end in ' ' unless specific
low-level APIs are used to create the files
+ * that bypass various checks. File names that end in ' ' are known to
cause problems when using
+ * File#getCanonicalPath().
+ */
return name.charAt(len - 1) == ' ';
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 44fc7cbe44..7b6fb4ad63 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -120,6 +120,9 @@
<bug>69837</bug>: Fix corruption of the class path generated by the
Loader when running on Windows. (markt)
</fix>
+ <fix>
+ Reject requests that map to invalid Windows file names earlier. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="WebSocket">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
