Author: markt
Date: Wed Jul 13 13:28:24 2011
New Revision: 1146005
URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
Log:
When running under a security manager and using sendfile, validate sendfile
attributes to prevent sendfile being used to bypass the security manager.
Part of the fix for CVE-2011-2526
Modified:
tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
tomcat/trunk/java/org/apache/catalina/connector/Request.java
Modified:
tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1146005&r1=1146004&r2=1146005&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
(original)
+++ tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties Wed
Jul 13 13:28:24 2011
@@ -66,6 +66,7 @@ coyoteRequest.noLoginConfig=No authentic
coyoteRequest.authenticate.ise=Cannot call authenticate() after the reponse
has been committed
coyoteRequest.uploadLocationInvalid=The temporary upload location [{0}] is not
valid
coyoteRequest.sessionEndAccessFail=Exception triggered ending access to
session while recycling request
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file
[{0}] specified for use with sendfile
requestFacade.nullRequest=The request object has been recycled and is no
longer associated with this facade
Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1146005&r1=1146004&r2=1146005&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13
13:28:24 2011
@@ -1525,6 +1525,26 @@ public class Request
return;
}
+ // Do the security check before any updates are made
+ if (Globals.IS_SECURITY_ENABLED &&
+ name.equals("org.apache.tomcat.sendfile.filename")) {
+ // Use the canonical file name to avoid any possible symlink and
+ // relative path issues
+ String canonicalPath;
+ try {
+ canonicalPath = new File(value.toString()).getCanonicalPath();
+ } catch (IOException e) {
+ throw new SecurityException(sm.getString(
+ "coyoteRequest.sendfileNotCanonical", value), e);
+ }
+ // Sendfile is performed in Tomcat's security context so need to
+ // check if the web app is permitted to access the file while still
+ // in the web app's security context
+ System.getSecurityManager().checkRead(canonicalPath);
+ // Update the value so the canonical path is used
+ value = canonicalPath;
+ }
+
oldValue = attributes.put(name, value);
if (oldValue != null) {
replaced = true;
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
