You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by kk...@apache.org on 2017/09/22 00:29:54 UTC
svn commit: r1809248 -
/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
Author: kkolinko
Date: Fri Sep 22 00:29:54 2017
New Revision: 1809248
URL: http://svn.apache.org/viewvc?rev=1809248&view=rev
Log:
Remove condition that is always false, thanks to "canPath.startsWith(canonicalBase)" check a few lines earlier.
Modified:
tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
Modified: tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809248&r1=1809247&r2=1809248&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java Fri Sep 22 00:29:54 2017
@@ -93,11 +93,10 @@ public abstract class AbstractFileResour
// the request processing) but might be possible for some access via the
// Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
// checks are retained as an additional safety measure
- // absoluteBase has been normalized so absPath needs to normalized as
+ // absoluteBase has been normalized so absPath needs to be normalized as
// well.
String absPath = normalize(file.getAbsolutePath());
- if (absoluteBase.length() > absPath.length() ||
- canonicalBase.length() > canPath.length()) {
+ if (absoluteBase.length() > absPath.length()) {
return null;
}
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1809248 -
/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
Posted by Mark Thomas <ma...@apache.org>.
On 22/09/17 01:29, kkolinko@apache.org wrote:
> Author: kkolinko
> Date: Fri Sep 22 00:29:54 2017
> New Revision: 1809248
>
> URL: http://svn.apache.org/viewvc?rev=1809248&view=rev
> Log:
> Remove condition that is always false, thanks to "canPath.startsWith(canonicalBase)" check a few lines earlier.
Thanks for catching this.
I've been trying to think if there are any circumstances under which the
absoluteBase.length() > absPath.length()
test could fail. I can't think of any but I'm not confident enough of
that at this point to remove the check.
Mark
>
> Modified:
> tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809248&r1=1809247&r2=1809248&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java Fri Sep 22 00:29:54 2017
> @@ -93,11 +93,10 @@ public abstract class AbstractFileResour
> // the request processing) but might be possible for some access via the
> // Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
> // checks are retained as an additional safety measure
> - // absoluteBase has been normalized so absPath needs to normalized as
> + // absoluteBase has been normalized so absPath needs to be normalized as
> // well.
> String absPath = normalize(file.getAbsolutePath());
> - if (absoluteBase.length() > absPath.length() ||
> - canonicalBase.length() > canPath.length()) {
> + if (absoluteBase.length() > absPath.length()) {
> return null;
> }
>
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org