2011/8/22 sebb <[email protected]>:
> On 13 July 2011 14:28, <[email protected]> wrote:
>> Author: markt
>> Date: Wed Jul 13 13:28:24 2011
>> New Revision: 1146005
>>
>> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
>> Log:
>> When running under a security manager and using sendfile, validate sendfile
>> attributes to prevent sendfile being used to bypass the security manager.
>> Part of the fix for CVE-2011-2526
>>
>> Modified:
>> tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
>> tomcat/trunk/java/org/apache/catalina/connector/Request.java
>>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13
>> 13:28:24 2011
>> @@ -1525,6 +1525,26 @@ public class Request
>> return;
>> }
>>
>> + // Do the security check before any updates are made
>> + if (Globals.IS_SECURITY_ENABLED &&
>> + name.equals("org.apache.tomcat.sendfile.filename")) {
>
> IMO this "magic string" should be a constant - as is done earlier in the file:
>
> ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ...
>
You are right. Actually there are three magic strings used by sendfile
(filename + range bounds).
(It could not be done in r1146005 in order to reduce noise in a security patch).
Best regards,
Konstantin Kolinko
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
