Re: svn commit: r1146005 - in /tomcat/trunk/java/org/apache/catalina/connector: LocalStrings.properties Request.java

Mon, 22 Aug 2011 08:14:32 -0700 

On 22 August 2011 16:03, Konstantin Kolinko <knst.koli...@gmail.com> wrote:
> 2011/8/22 sebb <seb...@gmail.com>:
>> On 13 July 2011 14:28,  <ma...@apache.org> wrote:
>>> Author: markt
>>> Date: Wed Jul 13 13:28:24 2011
>>> New Revision: 1146005
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
>>> Log:
>>> When running under a security manager and using sendfile, validate sendfile 
>>> attributes to prevent sendfile being used to bypass the security manager.
>>> Part of the fix for CVE-2011-2526
>>>
>>> Modified:
>>>    tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
>>>    tomcat/trunk/java/org/apache/catalina/connector/Request.java
>>>
>
>>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
>>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 
>>> 13:28:24 2011
>>> @@ -1525,6 +1525,26 @@ public class Request
>>>             return;
>>>         }
>>>
>>> +        // Do the security check before any updates are made
>>> +        if (Globals.IS_SECURITY_ENABLED &&
>>> +                name.equals("org.apache.tomcat.sendfile.filename")) {
>>
>> IMO this "magic string" should be a constant - as is done earlier in the 
>> file:
>>
>>  ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ...
>>
>
> You are right. Actually there are three magic strings used by sendfile
> (filename + range bounds).
>
> (It could not be done in r1146005 in order to reduce noise in a security 
> patch).

I see.

In which case there are several other related magic strings in
DefaultServlet and Http11AprProcessor and Http11NioProcessor.

Probably elsewhere too; these are just the files that use
"org.apache.tomcat.sendfile.filename".


> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
> For additional commands, e-mail: dev-h...@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to