[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

--- Comment #5 from Christopher Schultz  ---
(In reply to Mark Thomas from comment #3)
> The canonical path check is still required to enforce the required case
> sensitivity.
> 
> The Window APIs, most likely for reasons dating back to how 8.3 filenames
> were stored [1], ignore trailing periods in file names. That explains why
> allowLinking="true" enables this vulnerability. As far as the OS APIs are
> concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting
> allowLinking="true" bypasses the additional checks Tomcat performs to ensure
> an exact match between the requested path and the canonical path.
> 
> Just need confirmation from the OP that allowLinking="true" was being used
> and this issue can be closed.
> 
> [1]
> https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-
> trailing-periods-in-directory-names

I propose the following:

1. On Windows, check for "/WEB-INF." and any other special paths which are
already checked for access.

and/or

2. On Windows, if allowLinking="true", drop a GIANT ERROR to stdout and do a
Thread.sleep(5mins) before proceeding with bringing up the server.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Brett Schoppert  changed:

   What|Removed |Added

 Resolution|--- |INVALID
 Status|NEEDINFO|RESOLVED

--- Comment #4 from Brett Schoppert  ---
Yes, in this context allowLinking was set to true ... resolving the issue.

Thanks for the feedback.

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Mark Thomas  changed:

   What|Removed |Added

 Status|NEW |NEEDINFO

--- Comment #3 from Mark Thomas  ---
The canonical path check is still required to enforce the required case
sensitivity.

The Window APIs, most likely for reasons dating back to how 8.3 filenames were
stored [1], ignore trailing periods in file names. That explains why
allowLinking="true" enables this vulnerability. As far as the OS APIs are
concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting
allowLinking="true" bypasses the additional checks Tomcat performs to ensure an
exact match between the requested path and the canonical path.

Just need confirmation from the OP that allowLinking="true" was being used and
this issue can be closed.

[1]
https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-trailing-periods-in-directory-names

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

--- Comment #2 from Remy Maucherat  ---
The canonical path comparison is a last resort safety net. So it's still useful
then, that's interesting. If you confirm the behavior, it seems we're good as
is, the check is supposed to catch this and prevent trouble (but then a webapp
has to be fully packaged as per the specification).

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Svetlin Zarev  changed:

   What|Removed |Added

 CC||svetlin.za...@abv.bg

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-02 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Mark Thomas  changed:

   What|Removed |Added

 OS||All

--- Comment #1 from Mark Thomas  ---
As per http://tomcat.apache.org/security.html security vulnerabilities should
be reported privately to the Apache Tomcat Security Team - not via the public
bug tracker.

Reporting vulnerabilities publicly potentially exposes all Tomcat users to the
vulnerability until the vulnerability is patched.

Unfortunately, once information on a vulnerability is made public it can't be
made private.

Given the circumstances, we might as well make the best of this and use it as
an opportunity to give the Tomcat community an insight into how the Tomcat
security team addresses a security vulnerability and keep discussion on this
issue in the open. There is one caveat. If, during the investigation, we
uncover a separate but related security issue we will keep that information
private until that separate issue is resolved.

My initial reaction to this report is that - knowing how the WEB-INF check is
implemented - I'd be surprised if this was valid. The usual way the check is
bypassed on Windows is setting allowLinking=true (and setting that on Windows
is a configuration error). In this case I don't think that would allow the
behaviour seen here. Other possible causes are a poorly configured reverse
proxy or an unusual configuration of appBase and docBase

Next steps are to see if the report can be reproduced.

I don't have a Windows Server 2012 R2 install to hand so I have started the
process to set one up.

While the 2012 R2 ISO is downloading, I tested a clean build of the latest
8.5.x code running on Windows 7 and I do not see this behaviour. i.e.
http://localhost:8080/WEB-INF./web.xml returns a 404.

If I set allowLinking="true" I do see the behaviour described here. That is a
surprise. The good news is that that makes this a configuration error. There is
a very clear warning in the documentation that setting allowLinking="true" on
Windows or any platform with a case insensitive file system will create
security issues.

However, before resolving this issue as invalid we need to:
- confirm with the OP that they had set allowLinking="true"
- figure out why allowLinking="true" allows this particular bypass to occur

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

[Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793

2017-08-01 Thread bugzilla 
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Brett Schoppert  changed:

   What|Removed |Added

 OS||Windows Server 2012

-- 
You are receiving this mail because:
You are the assignee for the bug.
-
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org