You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by re...@apache.org on 2021/01/28 21:12:53 UTC
[tomcat] branch 8.5.x updated (19f5a7a -> e8626d7)
This is an automated email from the ASF dual-hosted git repository.
remm pushed a change to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 19f5a7a 65111: Free direct buffers
new 195d073 Add a new utility method to test if a path is an absolute URI
new e8626d7 Fix bug 65106. Don't try to treat absolute URIs as files
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
java/org/apache/tomcat/util/buf/UriUtil.java | 35 ++++++++++
.../apache/tomcat/util/file/ConfigFileLoader.java | 22 ++++---
.../tomcat/util/buf/TestUriUtilIsAbsoluteURI.java | 77 ++++++++++++++++++++++
webapps/docs/changelog.xml | 8 +++
4 files changed, 133 insertions(+), 9 deletions(-)
create mode 100644 test/org/apache/tomcat/util/buf/TestUriUtilIsAbsoluteURI.java
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: Fix bug 65106. Don't try to treat absolute URIs as
files
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit e8626d73b1df78c236d3e06dc878344c5a5ad73b
Author: remm <re...@apache.org>
AuthorDate: Thu Jan 28 22:12:01 2021 +0100
Fix bug 65106. Don't try to treat absolute URIs as files
Not that the InvalidPathException catch block was removed as valid
file:/... URIs will now skip the File and class loader block and be
processed just as URIs.
---
.../apache/tomcat/util/file/ConfigFileLoader.java | 22 +++++++++++++---------
webapps/docs/changelog.xml | 8 ++++++++
2 files changed, 21 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/tomcat/util/file/ConfigFileLoader.java b/java/org/apache/tomcat/util/file/ConfigFileLoader.java
index 7cd66ab..54631b2 100644
--- a/java/org/apache/tomcat/util/file/ConfigFileLoader.java
+++ b/java/org/apache/tomcat/util/file/ConfigFileLoader.java
@@ -24,6 +24,7 @@ import java.io.InputStream;
import java.net.URI;
import java.net.URL;
+import org.apache.tomcat.util.buf.UriUtil;
import org.apache.tomcat.util.res.StringManager;
/**
@@ -69,15 +70,18 @@ public class ConfigFileLoader {
* provided location
*/
public static InputStream getInputStream(String location) throws IOException {
- // Location was originally always a file before URI support was added so
- // try file first.
-
- File f = new File(location);
- if (!f.isAbsolute()) {
- f = new File(CATALINA_BASE_FILE, location);
- }
- if (f.isFile()) {
- return new FileInputStream(f);
+ // Originally only File was supported. Class loader and URI were added
+ // later. However (see bug 65106) treating some URIs as files can cause
+ // problems. Therefore, if path starts with a valid URI scheme then skip
+ // straight to processing this as a URI.
+ if (!UriUtil.isAbsoluteURI(location)) {
+ File f = new File(location);
+ if (!f.isAbsolute()) {
+ f = new File(CATALINA_BASE_FILE, location);
+ }
+ if (f.isFile()) {
+ return new FileInputStream(f);
+ }
}
// File didn't work so try URI.
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e6abb85..35e4475 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -104,6 +104,14 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 8.5.63 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>65106</bug>: Fix the ConfigFileLoader handling of file URIs when
+ running under a security manager on some JREs. (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/02: Add a new utility method to test if a path is an
absolute URI
Posted by re...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 195d073ff8b5d3c463ff4b3f796a0e4b6f1f5292
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jan 28 17:07:22 2021 +0000
Add a new utility method to test if a path is an absolute URI
---
java/org/apache/tomcat/util/buf/UriUtil.java | 35 ++++++++++
.../tomcat/util/buf/TestUriUtilIsAbsoluteURI.java | 77 ++++++++++++++++++++++
2 files changed, 112 insertions(+)
diff --git a/java/org/apache/tomcat/util/buf/UriUtil.java b/java/org/apache/tomcat/util/buf/UriUtil.java
index f88bc9d..374814b 100644
--- a/java/org/apache/tomcat/util/buf/UriUtil.java
+++ b/java/org/apache/tomcat/util/buf/UriUtil.java
@@ -193,4 +193,39 @@ public final class UriUtil {
public static String getWarSeparator() {
return WAR_SEPARATOR;
}
+
+
+ /**
+ * Does the provided path start with <code>file:/</code> or
+ * <code><protocol>://</code>.
+ *
+ * @param path The path to test
+ *
+ * @return {@code} if the supplied path starts with once of the recognised
+ * sequences.
+ */
+ public static boolean isAbsoluteURI(String path) {
+ // Special case as only a single /
+ if (path.startsWith("file:/")) {
+ return true;
+ }
+
+ // Start at the beginning of the path and skip over any valid protocol
+ // characters
+ int i = 0;
+ while (i < path.length() && isSchemeChar(path.charAt(i))) {
+ i++;
+ }
+ // Need at least one protocol character. False positives with Windows
+ // drives such as C:/... will be caught by the later test for "://"
+ if (i == 0) {
+ return false;
+ }
+ // path starts with something that might be a protocol. Look for a
+ // following "://"
+ if (i + 2 < path.length() && path.charAt(i++) == ':' && path.charAt(i++) == '/' && path.charAt(i) == '/') {
+ return true;
+ }
+ return false;
+ }
}
diff --git a/test/org/apache/tomcat/util/buf/TestUriUtilIsAbsoluteURI.java b/test/org/apache/tomcat/util/buf/TestUriUtilIsAbsoluteURI.java
new file mode 100644
index 0000000..f1ede74
--- /dev/null
+++ b/test/org/apache/tomcat/util/buf/TestUriUtilIsAbsoluteURI.java
@@ -0,0 +1,77 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.tomcat.util.buf;
+
+import java.util.ArrayList;
+import java.util.Collection;
+import java.util.List;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameter;
+
+
+@RunWith(Parameterized.class)
+public class TestUriUtilIsAbsoluteURI {
+
+ @Parameterized.Parameters(name = "{index}: path[{0}], expected[{1}]")
+ public static Collection<Object[]> parameters() {
+
+ List<Object[]> parameterSets = new ArrayList<>();
+
+ parameterSets.add(new Object[] { "", Boolean.FALSE } );
+
+ parameterSets.add(new Object[] { "h", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "ht", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "htt", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "http", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "http:", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "http:/", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "http://", Boolean.TRUE } );
+ parameterSets.add(new Object[] { "http://foo", Boolean.TRUE } );
+
+ parameterSets.add(new Object[] { "f", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "fi", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "fil", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "file", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "file:", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "file:/", Boolean.TRUE } );
+ parameterSets.add(new Object[] { "file://", Boolean.TRUE } );
+
+ parameterSets.add(new Object[] { "c", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "c:", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "c:/", Boolean.FALSE } );
+ parameterSets.add(new Object[] { "c:/foo", Boolean.FALSE } );
+
+ return parameterSets;
+ }
+
+
+ @Parameter(0)
+ public String path;
+
+ @Parameter(1)
+ public Boolean valid;
+
+ @Test
+ public void test() {
+ boolean result = UriUtil.isAbsoluteURI(path);
+ Assert.assertEquals(path, valid, Boolean.valueOf(result));
+ }
+}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org