I am curious how many agents/bots are watching commit messages and evaluating them for security concerns these days...
On Fri, May 8, 2026 at 10:43 AM Mark Thomas <[email protected]> wrote: > Anyone want to take a bet on how long it takes before we get an AI > generated report that, despite the commit comment, this fixes a security > vulnerability? > > Mark > > > On 08/05/2026 15:41, [email protected] wrote: > > This is an automated email from the ASF dual-hosted git repository. > > > > markt-asf pushed a commit to branch main > > in repository https://gitbox.apache.org/repos/asf/tomcat.git > > > > > > The following commit(s) were added to refs/heads/main by this push: > > new 6b7f62f0a6 Prevent accidental directory traversal > > 6b7f62f0a6 is described below > > > > commit 6b7f62f0a6a2ed4c10ad717b3212c799cd98e2f9 > > Author: Mark Thomas <[email protected]> > > AuthorDate: Fri May 8 15:40:30 2026 +0100 > > > > Prevent accidental directory traversal > > > > Note: This is NOT a security vulnerability as uploading a web > application effectively allows RCE anyway. > > --- > > java/org/apache/catalina/manager/LocalStrings.properties | 2 ++ > > java/org/apache/catalina/manager/ManagerServlet.java | 9 +++++++++ > > webapps/docs/changelog.xml | 4 ++++ > > 3 files changed, 15 insertions(+) > > > > diff --git a/java/org/apache/catalina/manager/LocalStrings.properties > b/java/org/apache/catalina/manager/LocalStrings.properties > > index 618039a367..d14516e114 100644 > > --- a/java/org/apache/catalina/manager/LocalStrings.properties > > +++ b/java/org/apache/catalina/manager/LocalStrings.properties > > @@ -158,6 +158,8 @@ managerServlet.noWrapper=Container has not called > setWrapper() for this servlet > > managerServlet.notDeployed=FAIL - Context [{0}] is defined in > server.xml and may not be undeployed > > managerServlet.notSslConnector=SSL is not enabled for this connector > > managerServlet.objectNameFail=FAIL - Unable to register object name > [{0}] for Manager Servlet > > +managerServlet.pathCheckFail=FAIL - Unable to upload to [{0}] as that > is outside the versioned directory [{1}] > > +managerServlet.pathCheckErrorFAIL - Unable to upload to [{0}] due to > [{2}] while checking the destination not outside the versioned directory > [{1}] > > managerServlet.postCommand=FAIL - Tried to use command [{0}] via a GET > request but POST is required > > managerServlet.reloaded=OK - Reloaded application at context path [{0}] > > managerServlet.renameFail=FAIL - Unable to rename [{0}] to [{1}]. This > may cause problems for future deployments. > > diff --git a/java/org/apache/catalina/manager/ManagerServlet.java > b/java/org/apache/catalina/manager/ManagerServlet.java > > index 806be52ce7..f222e3146f 100644 > > --- a/java/org/apache/catalina/manager/ManagerServlet.java > > +++ b/java/org/apache/catalina/manager/ManagerServlet.java > > @@ -732,6 +732,15 @@ public class ManagerServlet extends HttpServlet > implements ContainerServlet { > > } > > } else { > > File uploadPath = new File(versioned, tag); > > + try { > > + if > (!uploadPath.getCanonicalPath().startsWith(versioned.getCanonicalPath())) { > > + > writer.println(smClient.getString("managerServlet.pathCheckFail", > uploadPath, versioned)); > > + return; > > + } > > + } catch (IOException ioe) { > > + > writer.println(smClient.getString("managerServlet.pathCheckError", > uploadPath, versioned, ioe.getMessage())); > > + return; > > + } > > if (!uploadPath.mkdirs() && !uploadPath.isDirectory()) { > > > writer.println(smClient.getString("managerServlet.mkdirFail", uploadPath)); > > return; > > diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml > > index e05c907131..ae82756886 100644 > > --- a/webapps/docs/changelog.xml > > +++ b/webapps/docs/changelog.xml > > @@ -330,6 +330,10 @@ > > <subsection name="Web applications"> > > <changelog> > > <!-- Entries for backport and removal before 12.0.0-M1 below > this line --> > > + <add> > > + Manager: Add a check to ensure that any web application > uploaded using > > + the tag mechanism is uploaded to the correct location. (markt) > > + </add> > > </changelog> > > </subsection> > > <subsection name="jdbc-pool"> > > > > > > --------------------------------------------------------------------- > > To unsubscribe, e-mail: [email protected] > > For additional commands, e-mail: [email protected] > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
