You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/06/07 08:55:30 UTC

[tomcat] branch 8.5.x updated: Fix symlink edge case

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new 5b44a238cf Fix symlink edge case
5b44a238cf is described below

commit 5b44a238cfef8e41ad7594dbbe1857775eda9a19
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Jun 7 09:49:49 2023 +0100

    Fix symlink edge case
---
 .../apache/catalina/webresources/AbstractFileResourceSet.java    | 5 +++++
 webapps/docs/changelog.xml                                       | 9 +++++++++
 2 files changed, 14 insertions(+)

diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index e910e65118..019bb908f4 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -117,6 +117,11 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
         absPath = absPath.substring(absoluteBase.length());
         canPath = canPath.substring(canonicalBase.length());
 
+        // The remaining request path must start with '/' if it has non-zero length
+        if (canPath.length() > 0 && canPath.charAt(0) != '/') {
+            return null;
+        }
+
         // Case sensitivity check
         // The normalized requested path should be an exact match the equivalent
         // canonical path. If it is not, possible reasons include:
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c26c866625..5815df9289 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -105,6 +105,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 8.5.91 (schultz)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Fix an edge case where intra-web application symlinks would be followed
+        if the web applications were deliberately crafted to allow it even when
+        <code>allowLinking</code> was set to <code>false</code>. (markt)
+      </fix>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 8.5.90 (schultz)" rtext="release in progress">
   <subsection name="Catalina">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org