You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by "Craig R. McClanahan" <cr...@apache.org> on 2001/08/09 21:49:55 UTC
[VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
least on Win98, but I didn't check 3.3). Therefore, I would propose to do
a Beta 7 release tonight that picks up this change (and other bugfixes
since Beta 6).
Thanks to peter_c60@hotmail.com for the report.
Craig McClanahan
---------- Forwarded message ----------
Date: 9 Aug 2001 19:43:00 -0000
From: craigmcc@apache.org
Reply-To: tomcat-dev@jakarta.apache.org
To: jakarta-tomcat-4.0-cvs@apache.org
Subject: cvs commit:
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http
HttpProcessor.java
craigmcc 01/08/09 12:43:00
Modified: catalina/src/share/org/apache/catalina/connector/http
HttpProcessor.java
Log:
Make request URIs the contain "/..." (or any longer series of periods)
invalid. On some (all?) Windows platforms, this causes the OS to walk the
directory tree just like "../../.." type sequences do.
PR: Bugzilla #3062
Submitted by: peter_c60@hotmail.com
Revision Changes Path
1.35 +9 -4 jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java
Index: HttpProcessor.java
===================================================================
RCS file: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- HttpProcessor.java 2001/07/26 05:31:05 1.34
+++ HttpProcessor.java 2001/08/09 19:43:00 1.35
@@ -1,6 +1,6 @@
-/* * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v 1.34 2001/07/26 05:31:05 remm Exp $
- * $Revision: 1.34 $
- * $Date: 2001/07/26 05:31:05 $
+/* * $Header: /home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/HttpProcessor.java,v 1.35 2001/08/09 19:43:00 craigmcc Exp $
+ * $Revision: 1.35 $
+ * $Date: 2001/08/09 19:43:00 $
*
* ====================================================================
*
@@ -106,7 +106,7 @@
*
* @author Craig R. McClanahan
* @author Remy Maucherat
- * @version $Revision: 1.34 $ $Date: 2001/07/26 05:31:05 $
+ * @version $Revision: 1.35 $ $Date: 2001/08/09 19:43:00 $
*/
final class HttpProcessor
@@ -879,6 +879,11 @@
normalized = normalized.substring(0, index2) +
normalized.substring(index + 3);
}
+
+ // Declare occurrences of "/..." (three or more dots) to be invalid
+ // (on some Windows platforms this walks the directory tree!!!)
+ if (normalized.indexOf("/...") >= 0)
+ return (null);
// Return the normalized path that we have completed
return (normalized);
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by Remy Maucherat <re...@apache.org>.
> > Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable,
at
> > least on Win98, but I didn't check 3.3). Therefore, I would propose to
do
> > a Beta 7 release tonight that picks up this change (and other bugfixes
> > since Beta 6).
Send an email once the tag is in, so that I can build the Windows installer
version.
Remy
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by Remy Maucherat <re...@apache.org>.
> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
> least on Win98, but I didn't check 3.3). Therefore, I would propose to do
> a Beta 7 release tonight that picks up this change (and other bugfixes
> since Beta 6).
+1.
Remy
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by Amy Roh <am...@apache.org>.
+1
Amy
----- Original Message -----
From: "Craig R. McClanahan" <cr...@apache.org>
To: <to...@jakarta.apache.org>
Sent: Thursday, August 09, 2001 12:49 PM
Subject: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
> least on Win98, but I didn't check 3.3). Therefore, I would propose to do
> a Beta 7 release tonight that picks up this change (and other bugfixes
> since Beta 6).
>
> Thanks to peter_c60@hotmail.com for the report.
>
> Craig McClanahan
>
>
> ---------- Forwarded message ----------
> Date: 9 Aug 2001 19:43:00 -0000
> From: craigmcc@apache.org
> Reply-To: tomcat-dev@jakarta.apache.org
> To: jakarta-tomcat-4.0-cvs@apache.org
> Subject: cvs commit:
>
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http
> HttpProcessor.java
>
> craigmcc 01/08/09 12:43:00
>
> Modified: catalina/src/share/org/apache/catalina/connector/http
> HttpProcessor.java
> Log:
> Make request URIs the contain "/..." (or any longer series of periods)
> invalid. On some (all?) Windows platforms, this causes the OS to walk
the
> directory tree just like "../../.." type sequences do.
>
> PR: Bugzilla #3062
> Submitted by: peter_c60@hotmail.com
>
> Revision Changes Path
> 1.35 +9 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/Htt
pProcessor.java
>
> Index: HttpProcessor.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v
> retrieving revision 1.34
> retrieving revision 1.35
> diff -u -r1.34 -r1.35
> --- HttpProcessor.java 2001/07/26 05:31:05 1.34
> +++ HttpProcessor.java 2001/08/09 19:43:00 1.35
> @@ -1,6 +1,6 @@
> -/* * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v 1.34 2001/07/26 05:31:05 remm Exp $
> - * $Revision: 1.34 $
> - * $Date: 2001/07/26 05:31:05 $
> +/* * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v 1.35 2001/08/09 19:43:00 craigmcc Exp $
> + * $Revision: 1.35 $
> + * $Date: 2001/08/09 19:43:00 $
> *
> * ====================================================================
> *
> @@ -106,7 +106,7 @@
> *
> * @author Craig R. McClanahan
> * @author Remy Maucherat
> - * @version $Revision: 1.34 $ $Date: 2001/07/26 05:31:05 $
> + * @version $Revision: 1.35 $ $Date: 2001/08/09 19:43:00 $
> */
>
> final class HttpProcessor
> @@ -879,6 +879,11 @@
> normalized = normalized.substring(0, index2) +
> normalized.substring(index + 3);
> }
> +
> + // Declare occurrences of "/..." (three or more dots) to be
invalid
> + // (on some Windows platforms this walks the directory tree!!!)
> + if (normalized.indexOf("/...") >= 0)
> + return (null);
>
> // Return the normalized path that we have completed
> return (normalized);
>
>
>
>
>
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Pier P. Fumagalli at pier@betaversion.org wrote:
> Craig R. McClanahan at craigmcc@apache.org wrote:
>
>>
>>
>> On Thu, 9 Aug 2001, Pier P. Fumagalli wrote:
>>
>>> Craig R. McClanahan at craigmcc@apache.org wrote:
>>>
>>>> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
>>>> least on Win98, but I didn't check 3.3). Therefore, I would propose to do
>>>> a Beta 7 release tonight that picks up this change (and other bugfixes
>>>> since Beta 6).
>>>
>>> I'm cool with it. Can I integrate the sources from WARP into the core
>>> Catalina distribution before the release? I'll tag also the
>>> jakarta-tomcat-connectors/webapp repository...
>>>
>>
>> Yep. Go ahead and integrate them.
>
> Done, jakarta-tomcat-connectors/webapp tagged with "tomcat_40_b7". I'm not
> going to modify the Java sources anymore (maybe something will happen with
> the C portion of it, but it doesn't affect the Catalina distribution)...
>
> It's a GO for me...
Forgot to mention... Once you do the build (tag the repo), I'm going to put
a source of WebApp alongside with the regular Tomcat 4.0 distrib (as we did
for B6).
Pier
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Craig R. McClanahan at craigmcc@apache.org wrote:
>
>
> On Thu, 9 Aug 2001, Pier P. Fumagalli wrote:
>
>> Craig R. McClanahan at craigmcc@apache.org wrote:
>>
>>> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
>>> least on Win98, but I didn't check 3.3). Therefore, I would propose to do
>>> a Beta 7 release tonight that picks up this change (and other bugfixes
>>> since Beta 6).
>>
>> I'm cool with it. Can I integrate the sources from WARP into the core
>> Catalina distribution before the release? I'll tag also the
>> jakarta-tomcat-connectors/webapp repository...
>>
>
> Yep. Go ahead and integrate them.
Done, jakarta-tomcat-connectors/webapp tagged with "tomcat_40_b7". I'm not
going to modify the Java sources anymore (maybe something will happen with
the C portion of it, but it doesn't affect the Catalina distribution)...
It's a GO for me...
Pier
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by "Craig R. McClanahan" <cr...@apache.org>.
On Thu, 9 Aug 2001, Pier P. Fumagalli wrote:
> Craig R. McClanahan at craigmcc@apache.org wrote:
>
> > Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
> > least on Win98, but I didn't check 3.3). Therefore, I would propose to do
> > a Beta 7 release tonight that picks up this change (and other bugfixes
> > since Beta 6).
>
> I'm cool with it. Can I integrate the sources from WARP into the core
> Catalina distribution before the release? I'll tag also the
> jakarta-tomcat-connectors/webapp repository...
>
Yep. Go ahead and integrate them.
> Pier
>
>
Craig
Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Posted by "Pier P. Fumagalli" <pi...@betaversion.org>.
Craig R. McClanahan at craigmcc@apache.org wrote:
> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
> least on Win98, but I didn't check 3.3). Therefore, I would propose to do
> a Beta 7 release tonight that picks up this change (and other bugfixes
> since Beta 6).
I'm cool with it. Can I integrate the sources from WARP into the core
Catalina distribution before the release? I'll tag also the
jakarta-tomcat-connectors/webapp repository...
Pier