This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/master by this push:
new a77d54f Fix a potential resource leak
a77d54f is described below
commit a77d54fd6116d44dba2bee029cb3e57342ab1857
Author: Mark Thomas
AuthorDate: Wed Apr 17 12:37:36 2019 +0100
Fix a potential resource leak
---
java/org/apache/catalina/servlets/CGIServlet.java | 75 +++
webapps/docs/changelog.xml| 4 ++
2 files changed, 41 insertions(+), 38 deletions(-)
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java
b/java/org/apache/catalina/servlets/CGIServlet.java
index 7a3396a..b519497 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -1178,54 +1178,53 @@ public final class CGIServlet extends HttpServlet {
return;
}
-File f = new File(destPath.toString());
-if (f.exists()) {
-try {
-is.close();
-} catch (IOException e) {
-log.warn(sm.getString("cgiServlet.expandCloseFail",
srcPath), e);
+try {
+File f = new File(destPath.toString());
+if (f.exists()) {
+// Don't need to expand if it already exists
+return;
}
-// Don't need to expand if it already exists
-return;
-}
-// create directories
-File dir = f.getParentFile();
-if (!dir.mkdirs() && !dir.isDirectory()) {
-log.warn(sm.getString("cgiServlet.expandCreateDirFail",
dir.getAbsolutePath()));
-return;
-}
+// create directories
+File dir = f.getParentFile();
+if (!dir.mkdirs() && !dir.isDirectory()) {
+log.warn(sm.getString("cgiServlet.expandCreateDirFail",
dir.getAbsolutePath()));
+return;
+}
-try {
-synchronized (expandFileLock) {
-// make sure file doesn't exist
-if (f.exists()) {
-return;
-}
+try {
+synchronized (expandFileLock) {
+// make sure file doesn't exist
+if (f.exists()) {
+return;
+}
-// create file
-if (!f.createNewFile()) {
-return;
-}
+// create file
+if (!f.createNewFile()) {
+return;
+}
-try {
Files.copy(is, f.toPath());
-} finally {
-is.close();
-}
-if (log.isDebugEnabled()) {
-log.debug(sm.getString("cgiServlet.expandOk", srcPath,
destPath));
+if (log.isDebugEnabled()) {
+log.debug(sm.getString("cgiServlet.expandOk",
srcPath, destPath));
+}
}
-}
-} catch (IOException ioe) {
-log.warn(sm.getString("cgiServlet.expandFail", srcPath,
destPath), ioe);
-// delete in case file is corrupted
-if (f.exists()) {
-if (!f.delete()) {
-log.warn(sm.getString("cgiServlet.expandDeleteFail",
f.getAbsolutePath()));
+} catch (IOException ioe) {
+log.warn(sm.getString("cgiServlet.expandFail", srcPath,
destPath), ioe);
+// delete in case file is corrupted
+if (f.exists()) {
+if (!f.delete()) {
+
log.warn(sm.getString("cgiServlet.expandDeleteFail", f.getAbsolutePath()));
+}
}
}
+} finally {
+try {
+is.close();
+} catch (IOException e) {
+log.warn(sm.getString("cgiServlet.expandCloseFail",
srcPath), e);
+}
}
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 9e99e0b..d1648f8 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -52,6 +52,10 @@
path which in turn meant resource URLs were not being constructed as
expected. (markt)
+
+Fix a potential resource leak when executing CGI scripts from a WAR
+file. Identified by Coverity