(tomcat) branch 11.0.x updated: Fix potential deadlock on copy

Wed, 10 Jun 2026 03:30:41 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 11.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/11.0.x by this push:
     new be9089d941 Fix potential deadlock on copy
be9089d941 is described below

commit be9089d941a48345a1f8abe145d26b8975a02bac
Author: Mark Thomas <[email protected]>
AuthorDate: Wed Jun 10 11:29:02 2026 +0100

    Fix potential deadlock on copy
---
 java/org/apache/catalina/servlets/WebdavServlet.java | 18 ++++++++++++++++--
 webapps/docs/changelog.xml                           |  3 +++
 2 files changed, 19 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 7eb089f935..81e0fbc52e 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -2983,8 +2983,22 @@ public class WebdavServlet extends DefaultServlet 
implements PeriodicEventListen
                     propertiesDest = new ArrayList<>();
                     deadProperties.put(destination, propertiesDest);
                 }
-                synchronized (properties) {
-                    synchronized (propertiesDest) {
+                /*
+                 * The following ensures that locks for any two paths are 
always obtained in the same other order
+                 * regardless of which is the source and which is the 
destination. This is to avoid deadlocks for
+                 * concurrent calls where source and destination are reversed.
+                 */
+                Object lockFirst;
+                Object lockSecond;
+                if (source.compareTo(destination) > 0) {
+                    lockFirst = properties;
+                    lockSecond = propertiesDest;
+                } else {
+                    lockFirst = propertiesDest;
+                    lockSecond = properties;
+                }
+                synchronized (lockFirst) {
+                    synchronized (lockSecond) {
                         for (Node node : properties) {
                             node = node.cloneNode(true);
                             boolean found = false;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 48a77fbbf9..fa45838bd5 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -279,6 +279,9 @@
         <code>server.xml</code>. Cluster digester rules are now fully
         conditional on both JARs being available. (dsoumis)
       </fix>
+      <fix>
+        Fix a potential deadlock when copying resources using WebDAV. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to