You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2009/07/23 16:47:56 UTC
DO NOT REPLY [Bug 47564] New: .. and WEB-INF are allowed in pathInfo
assignment
https://issues.apache.org/bugzilla/show_bug.cgi?id=47564
Summary: .. and WEB-INF are allowed in pathInfo assignment
Product: Tomcat 6
Version: 6.0.18
Platform: PC
OS/Version: Windows Vista
Status: NEW
Severity: minor
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: mgainty@hotmail.com
Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18,
and possibly earlier versions normalizes the target pathname before filtering
the query string when using the RequestDispatcher method, which allows remote
attackers to bypass intended access restrictions and conduct directory
traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a
Request.
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
org.apache.catalina.core.ApplicationDispatcher.java
public ApplicationDispatcher
(Wrapper wrapper, String requestURI, String servletPath,
String pathInfo, String queryString, String name) {
super();
// Save all of our configuration parameters
this.wrapper = wrapper;
this.context = (Context) wrapper.getParent();
this.requestURI = requestURI;
this.servletPath = servletPath;
//change
// this.pathInfo = pathInfo;
//to
Pattern p = Pattern.compile("\\..");
Matcher m = p.matcher(pathinfo);
if (m.find())
System.err.println("pathinfo should not contain dot dot");
//Checks for pathinfo that start with
//WEB-INF and prints a message if it does.
p = Pattern.compile("WEB-INF");
m = p.matcher(pathinfo);
if (m.find())
{
System.err.println("pathinfo should not contain WEB-INF ");
}
//everything in kitchen sink except for .. or WEB-INF
p = Pattern.compile("[a-zA-Z0-9-[\\..][WEB-INF]];
m = p.matcher(pathinfo);
boolean result = m.find();
StringBuffer sb = new StringBuffer();;
while (m.find())
{
sb.append(m.group());
}
// Add the last segment of input to the new String
m.appendTail(sb);
this.pathInfo = sb.toString();
//end mod
this.queryString = queryString;
this.name = name;
if (wrapper instanceof StandardWrapper)
this.support = ((StandardWrapper) wrapper).getInstanceSupport();
else
this.support = new InstanceSupport(wrapper);
}
been a while since i worked with regexp so tweaking is appreciated
Martin Gainty
23 July 2009
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 47564] .. and WEB-INF are allowed in pathInfo
assignment
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=47564
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #1 from Mark Thomas <ma...@apache.org> 2009-07-23 09:27:54 PST ---
Bugzilla is not the correct forum for reporting security issues. Please read:
http://tomcat.apache.org/security.html
This is a known, fixed issue. Again, please read:
http://tomcat.apache.org/security.html
There is no need to report bugs that have already been fixed.
The patch proposed above is bad and should not be applied. Users are strongly
encouraged to follow the advice in the security advisories to resolve this
issue. More information can be found in the Tomcat security pages:
http://tomcat.apache.org/security.html
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org