You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by kk...@apache.org on 2017/09/22 00:29:54 UTC

svn commit: r1809248 - /tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java

Author: kkolinko
Date: Fri Sep 22 00:29:54 2017
New Revision: 1809248

URL: http://svn.apache.org/viewvc?rev=1809248&view=rev
Log:
Remove condition that is always false, thanks to "canPath.startsWith(canonicalBase)" check a few lines earlier.

Modified:
    tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java

Modified: tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809248&r1=1809247&r2=1809248&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java Fri Sep 22 00:29:54 2017
@@ -93,11 +93,10 @@ public abstract class AbstractFileResour
         // the request processing) but might be possible for some access via the
         // Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
         // checks are retained as an additional safety measure
-        // absoluteBase has been normalized so absPath needs to normalized as
+        // absoluteBase has been normalized so absPath needs to be normalized as
         // well.
         String absPath = normalize(file.getAbsolutePath());
-        if (absoluteBase.length() > absPath.length() ||
-                canonicalBase.length() > canPath.length()) {
+        if (absoluteBase.length() > absPath.length()) {
             return null;
         }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1809248 - /tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java

Posted by Mark Thomas <ma...@apache.org>.

On 22/09/17 01:29, kkolinko@apache.org wrote:
> Author: kkolinko
> Date: Fri Sep 22 00:29:54 2017
> New Revision: 1809248
> 
> URL: http://svn.apache.org/viewvc?rev=1809248&view=rev
> Log:
> Remove condition that is always false, thanks to "canPath.startsWith(canonicalBase)" check a few lines earlier.

Thanks for catching this.

I've been trying to think if there are any circumstances under which the

absoluteBase.length() > absPath.length()

test could fail. I can't think of any but I'm not confident enough of
that at this point to remove the check.

Mark


> 
> Modified:
>     tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> 
> Modified: tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809248&r1=1809247&r2=1809248&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java Fri Sep 22 00:29:54 2017
> @@ -93,11 +93,10 @@ public abstract class AbstractFileResour
>          // the request processing) but might be possible for some access via the
>          // Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
>          // checks are retained as an additional safety measure
> -        // absoluteBase has been normalized so absPath needs to normalized as
> +        // absoluteBase has been normalized so absPath needs to be normalized as
>          // well.
>          String absPath = normalize(file.getAbsolutePath());
> -        if (absoluteBase.length() > absPath.length() ||
> -                canonicalBase.length() > canPath.length()) {
> +        if (absoluteBase.length() > absPath.length()) {
>              return null;
>          }
>  
> 
> 
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org