On Friday, May 8, 2026, Mark Thomas <[email protected]> wrote: > On 08/05/2026 16:54, Coty Sutherland wrote: > >> For the fun, I asked Claude Sonnet 4.5 :) It says that the commit message >> indicates it's not, and the reasoning is sound. But when I asked if the >> developer might be misleading us, the response said that subsequent >> commits >> indicate that it does have a security impact with some examples of >> possibilities. I'm not sure those are sound, though... >> > > Interesting. It doesn't appear to be able to see the bigger picture. The > fundamental point that this is called by an admin who can deploy a web > application remains. >
Yeah, I posed a follow up question and it went back to "yeah, this isn't a security issue because an admin can do whatever" or something similar to that (I'm AFK now so don't recall specifics). > > I'm doing iterative CoPilot reviews so there is going to be another > follow-up commit. The follow-ups are certainly improving things but there > is nothing here that is remotely CVE worthy. > > Mark > > >> On Fri, May 8, 2026 at 11:45 AM Coty Sutherland <[email protected]> >> wrote: >> >> I am curious how many agents/bots are watching commit messages and >>> evaluating them for security concerns these days... >>> >>> On Fri, May 8, 2026 at 10:43 AM Mark Thomas <[email protected]> wrote: >>> >>> Anyone want to take a bet on how long it takes before we get an AI >>>> generated report that, despite the commit comment, this fixes a security >>>> vulnerability? >>>> >>>> Mark >>>> >>>> >>>> On 08/05/2026 15:41, [email protected] wrote: >>>> >>>>> This is an automated email from the ASF dual-hosted git repository. >>>>> >>>>> markt-asf pushed a commit to branch main >>>>> in repository https://gitbox.apache.org/repos/asf/tomcat.git >>>>> >>>>> >>>>> The following commit(s) were added to refs/heads/main by this push: >>>>> new 6b7f62f0a6 Prevent accidental directory traversal >>>>> 6b7f62f0a6 is described below >>>>> >>>>> commit 6b7f62f0a6a2ed4c10ad717b3212c799cd98e2f9 >>>>> Author: Mark Thomas <[email protected]> >>>>> AuthorDate: Fri May 8 15:40:30 2026 +0100 >>>>> >>>>> Prevent accidental directory traversal >>>>> >>>>> Note: This is NOT a security vulnerability as uploading a web >>>>> >>>> application effectively allows RCE anyway. >>>> >>>>> --- >>>>> java/org/apache/catalina/manager/LocalStrings.properties | 2 ++ >>>>> java/org/apache/catalina/manager/ManagerServlet.java | 9 >>>>> +++++++++ >>>>> webapps/docs/changelog.xml | 4 ++++ >>>>> 3 files changed, 15 insertions(+) >>>>> >>>>> diff --git a/java/org/apache/catalina/manager/LocalStrings.properties >>>>> >>>> b/java/org/apache/catalina/manager/LocalStrings.properties >>>> >>>>> index 618039a367..d14516e114 100644 >>>>> --- a/java/org/apache/catalina/manager/LocalStrings.properties >>>>> +++ b/java/org/apache/catalina/manager/LocalStrings.properties >>>>> @@ -158,6 +158,8 @@ managerServlet.noWrapper=Container has not called >>>>> >>>> setWrapper() for this servlet >>>> >>>>> managerServlet.notDeployed=FAIL - Context [{0}] is defined in >>>>> >>>> server.xml and may not be undeployed >>>> >>>>> managerServlet.notSslConnector=SSL is not enabled for this >>>>> connector >>>>> managerServlet.objectNameFail=FAIL - Unable to register object name >>>>> >>>> [{0}] for Manager Servlet >>>> >>>>> +managerServlet.pathCheckFail=FAIL - Unable to upload to [{0}] as that >>>>> >>>> is outside the versioned directory [{1}] >>>> >>>>> +managerServlet.pathCheckErrorFAIL - Unable to upload to [{0}] due to >>>>> >>>> [{2}] while checking the destination not outside the versioned directory >>>> [{1}] >>>> >>>>> managerServlet.postCommand=FAIL - Tried to use command [{0}] via a >>>>> >>>> GET request but POST is required >>>> >>>>> managerServlet.reloaded=OK - Reloaded application at context path >>>>> >>>> [{0}] >>>> >>>>> managerServlet.renameFail=FAIL - Unable to rename [{0}] to [{1}]. >>>>> >>>> This may cause problems for future deployments. >>>> >>>>> diff --git a/java/org/apache/catalina/manager/ManagerServlet.java >>>>> >>>> b/java/org/apache/catalina/manager/ManagerServlet.java >>>> >>>>> index 806be52ce7..f222e3146f 100644 >>>>> --- a/java/org/apache/catalina/manager/ManagerServlet.java >>>>> +++ b/java/org/apache/catalina/manager/ManagerServlet.java >>>>> @@ -732,6 +732,15 @@ public class ManagerServlet extends HttpServlet >>>>> >>>> implements ContainerServlet { >>>> >>>>> } >>>>> } else { >>>>> File uploadPath = new File(versioned, tag); >>>>> + try { >>>>> + if >>>>> >>>> (!uploadPath.getCanonicalPath().startsWith(versioned.getCanonicalPath())) >>>> { >>>> >>>>> + >>>>> >>>> writer.println(smClient.getString("managerServlet.pathCheckFail", >>>> uploadPath, versioned)); >>>> >>>>> + return; >>>>> + } >>>>> + } catch (IOException ioe) { >>>>> + >>>>> >>>> writer.println(smClient.getString("managerServlet.pathCheckError", >>>> uploadPath, versioned, ioe.getMessage())); >>>> >>>>> + return; >>>>> + } >>>>> if (!uploadPath.mkdirs() && !uploadPath.isDirectory()) { >>>>> >>>>> writer.println(smClient.getString("managerServlet.mkdirFail", >>>> uploadPath)); >>>> >>>>> return; >>>>> diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml >>>>> index e05c907131..ae82756886 100644 >>>>> --- a/webapps/docs/changelog.xml >>>>> +++ b/webapps/docs/changelog.xml >>>>> @@ -330,6 +330,10 @@ >>>>> <subsection name="Web applications"> >>>>> <changelog> >>>>> <!-- Entries for backport and removal before 12.0.0-M1 below >>>>> >>>> this line --> >>>> >>>>> + <add> >>>>> + Manager: Add a check to ensure that any web application >>>>> >>>> uploaded using >>>> >>>>> + the tag mechanism is uploaded to the correct location. (markt) >>>>> + </add> >>>>> </changelog> >>>>> </subsection> >>>>> <subsection name="jdbc-pool"> >>>>> >>>>> >>>>> --------------------------------------------------------------------- >>>>> To unsubscribe, e-mail: [email protected] >>>>> For additional commands, e-mail: [email protected] >>>>> >>>>> >>>> >>>> --------------------------------------------------------------------- >>>> To unsubscribe, e-mail: [email protected] >>>> For additional commands, e-mail: [email protected] >>>> >>>> >>>> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > >
