You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2021/06/25 15:10:33 UTC
[tomcat] branch main updated: Further fix for BZ 65397. Account for
symlink above CATALINA_BASE
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 8f3cba9 Further fix for BZ 65397. Account for symlink above CATALINA_BASE
8f3cba9 is described below
commit 8f3cba9bb189ada767537126efb3ebd181f3aae6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Jun 25 16:10:11 2021 +0100
Further fix for BZ 65397. Account for symlink above CATALINA_BASE
Detected on MacOS where the default tmp location for unit tests is
located under a symlink.
---
.../catalina/webresources/AbstractFileResourceSet.java | 14 ++++++++++++--
java/org/apache/catalina/webresources/DirResourceSet.java | 7 +++++--
2 files changed, 17 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index 3930a90..2635bbf 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -114,8 +114,8 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
// Remove the fileBase location from the start of the paths since that
// was not part of the requested path and the remaining check only
// applies to the request path
- absPath = absPath.substring(absoluteBase.length());
- canPath = canPath.substring(canonicalBase.length());
+ absPath = removeAbsoluteBase(absPath);
+ canPath = removeCanonicalBase(canPath);
// Case sensitivity check
// The normalized requested path should be an exact match the equivalent
@@ -145,6 +145,16 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
}
+ protected String removeAbsoluteBase(String absolutePath) {
+ return absolutePath.substring(absoluteBase.length());
+ }
+
+
+ protected String removeCanonicalBase(String canonicalPath) {
+ return canonicalPath.substring(canonicalBase.length());
+ }
+
+
protected void logIgnoredSymlink(String contextPath, String absPath, String canPath) {
String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
contextPath, absPath, canPath);
diff --git a/java/org/apache/catalina/webresources/DirResourceSet.java b/java/org/apache/catalina/webresources/DirResourceSet.java
index 354ca90..4f44567 100644
--- a/java/org/apache/catalina/webresources/DirResourceSet.java
+++ b/java/org/apache/catalina/webresources/DirResourceSet.java
@@ -166,8 +166,11 @@ public class DirResourceSet extends AbstractFileResourceSet {
String absPath = null;
String canPath = null;
try {
- absPath = entry.getAbsolutePath();
- canPath = entry.getCanonicalPath();
+ // Base location may be inside a symlink. Only
+ // need to check here if the requested path uses
+ // symlinks so remove the base paths.
+ absPath = removeAbsoluteBase(entry.getAbsolutePath());
+ canPath = removeCanonicalBase(entry.getCanonicalPath());
if (absPath.equals(canPath)) {
symlink = false;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: [tomcat] branch main updated: Further fix for BZ 65397. Account
for symlink above CATALINA_BASE
Posted by Mark Thomas <ma...@apache.org>.
On 25/06/2021 16:10, markt@apache.org wrote:
> This is an automated email from the ASF dual-hosted git repository.
>
> markt pushed a commit to branch main
> in repository https://gitbox.apache.org/repos/asf/tomcat.git
>
>
> The following commit(s) were added to refs/heads/main by this push:
> new 8f3cba9 Further fix for BZ 65397. Account for symlink above CATALINA_BASE
> 8f3cba9 is described below
>
> commit 8f3cba9bb189ada767537126efb3ebd181f3aae6
> Author: Mark Thomas <ma...@apache.org>
> AuthorDate: Fri Jun 25 16:10:11 2021 +0100
>
> Further fix for BZ 65397. Account for symlink above CATALINA_BASE
>
> Detected on MacOS where the default tmp location for unit tests is
> located under a symlink.
And now this breaks on Windows...
Working on a fix...
Mark
> ---
> .../catalina/webresources/AbstractFileResourceSet.java | 14 ++++++++++++--
> java/org/apache/catalina/webresources/DirResourceSet.java | 7 +++++--
> 2 files changed, 17 insertions(+), 4 deletions(-)
>
> diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> index 3930a90..2635bbf 100644
> --- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> +++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> @@ -114,8 +114,8 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
> // Remove the fileBase location from the start of the paths since that
> // was not part of the requested path and the remaining check only
> // applies to the request path
> - absPath = absPath.substring(absoluteBase.length());
> - canPath = canPath.substring(canonicalBase.length());
> + absPath = removeAbsoluteBase(absPath);
> + canPath = removeCanonicalBase(canPath);
>
> // Case sensitivity check
> // The normalized requested path should be an exact match the equivalent
> @@ -145,6 +145,16 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
> }
>
>
> + protected String removeAbsoluteBase(String absolutePath) {
> + return absolutePath.substring(absoluteBase.length());
> + }
> +
> +
> + protected String removeCanonicalBase(String canonicalPath) {
> + return canonicalPath.substring(canonicalBase.length());
> + }
> +
> +
> protected void logIgnoredSymlink(String contextPath, String absPath, String canPath) {
> String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
> contextPath, absPath, canPath);
> diff --git a/java/org/apache/catalina/webresources/DirResourceSet.java b/java/org/apache/catalina/webresources/DirResourceSet.java
> index 354ca90..4f44567 100644
> --- a/java/org/apache/catalina/webresources/DirResourceSet.java
> +++ b/java/org/apache/catalina/webresources/DirResourceSet.java
> @@ -166,8 +166,11 @@ public class DirResourceSet extends AbstractFileResourceSet {
> String absPath = null;
> String canPath = null;
> try {
> - absPath = entry.getAbsolutePath();
> - canPath = entry.getCanonicalPath();
> + // Base location may be inside a symlink. Only
> + // need to check here if the requested path uses
> + // symlinks so remove the base paths.
> + absPath = removeAbsoluteBase(entry.getAbsolutePath());
> + canPath = removeCanonicalBase(entry.getCanonicalPath());
> if (absPath.equals(canPath)) {
> symlink = false;
> }
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org