You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2020/11/06 19:05:47 UTC
[tomcat] branch master updated (8a89da0 -> 7f004ac)
This is an automated email from the ASF dual-hosted git repository.
markt pushed a change to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git.
from 8a89da0 Remove unused code
new 7f68b14 Line length
new 7f004ac Fix BZ 64871. Log if file access is blocked due to symlinks
The 2 revisions listed above as "new" are entirely new to this
repository and will be described in separate emails. The revisions
listed as "add" were already present in the repository and have only
been added to this reference.
Summary of changes:
.../webresources/AbstractFileResourceSet.java | 19 ++++++++++++++++-
.../catalina/webresources/LocalStrings.properties | 2 ++
webapps/docs/changelog.xml | 24 ++++++++++++++--------
3 files changed, 36 insertions(+), 9 deletions(-)
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 01/02: Line length
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7f68b1422dbe25db49d8dfb0e16e3c3468d3b3a6
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Nov 6 17:42:39 2020 +0000
Line length
---
webapps/docs/changelog.xml | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 806c1e5..2836ac7 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -65,14 +65,18 @@
an error. (remm)
</fix>
<fix>
- Remove the entry for <code>org.apache.tomcat.util.descriptor.tld.LocalStrings</code>
- from tomcat-embed-core's GraalVM tomcat-resource.json. It no more part of the jar
- since <a href="https://github.com/apache/tomcat/commit/3815b4951eb3acd30a0b77aafa75fbdb928d5782">
- Fix unwanted JPMS dependency of embed-core on embed-jasper</a>. (mgrigorov)
+ Remove the entry for
+ <code>org.apache.tomcat.util.descriptor.tld.LocalStrings</code>
+ from tomcat-embed-core's GraalVM tomcat-resource.json. It no more part
+ of the jar since
+ <a href="https://github.com/apache/tomcat/commit/3815b4951eb3acd30a0b77aafa75fbdb928d5782">
+ Fix unwanted JPMS dependency of embed-core on embed-jasper</a>.
+ (mgrigorov)
</fix>
<fix>
- Add org.apache.coyote.http11.Http11Nio2Protocol to the list of classes which could be instantiated
- via reflection in GraalVM. (mgrigorov)
+ Add <code>org.apache.coyote.http11.Http11Nio2Protocol</code> to the list
+ of classes which could be instantiated via reflection in GraalVM.
+ (mgrigorov)
</fix>
<add>
Add <code>JsonErrorReportValve</code> that extends the
@@ -80,8 +84,8 @@
HTML. (kfujino)
</add>
<add>
- Add GraalVM config for Tomcat JNI related classes. This makes it possible to use the APR
- protocol in GraalVM native images. (mgrigorov)
+ Add GraalVM config for Tomcat JNI related classes. This makes it
+ possible to use the APR protocol in GraalVM native images. (mgrigorov)
</add>
<fix>
JNDIRealm connections should only be created with the container
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[tomcat] 02/02: Fix BZ 64871. Log if file access is blocked due to
symlinks
Posted by ma...@apache.org.
This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 7f004ac4531c45f9a2a2d1470561fe135cf27bc2
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Fri Nov 6 19:03:57 2020 +0000
Fix BZ 64871. Log if file access is blocked due to symlinks
https://bz.apache.org/bugzilla/show_bug.cgi?id=64871
---
.../webresources/AbstractFileResourceSet.java | 19 ++++++++++++++++++-
.../catalina/webresources/LocalStrings.properties | 2 ++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 24 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index c799341..59fc771 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -22,11 +22,15 @@ import java.net.MalformedURLException;
import java.net.URL;
import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.http.RequestUtil;
public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
+
protected static final String[] EMPTY_STRING_ARRAY = new String[0];
private File fileBase;
@@ -128,6 +132,19 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
canPath = normalize(canPath);
}
if (!canPath.equals(absPath)) {
+ if (!canPath.equalsIgnoreCase(absPath)) {
+ // Typically means symlinks are in use but being ignored. Given
+ // the symlink was likely created for a reason, log a warning
+ // that it was ignored.
+ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+ getRoot().getContext().getName(), absPath, canPath);
+ // Log issues with configuration files at a higher level
+ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
+ log.error(msg);
+ } else {
+ log.warn(msg);
+ }
+ }
return null;
}
@@ -144,7 +161,7 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet {
// expression irrespective of input length.
for (int i = 0; i < len; i++) {
char c = name.charAt(i);
- if (c == '\"' || c == '<' || c == '>') {
+ if (c == '\"' || c == '<' || c == '>' || c == ':') {
// These characters are disallowed in Windows file names and
// there are known problems for file names with these characters
// when using File#getCanonicalPath().
diff --git a/java/org/apache/catalina/webresources/LocalStrings.properties b/java/org/apache/catalina/webresources/LocalStrings.properties
index fb9badc..af9f9fe 100644
--- a/java/org/apache/catalina/webresources/LocalStrings.properties
+++ b/java/org/apache/catalina/webresources/LocalStrings.properties
@@ -15,6 +15,8 @@
abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
+
abstractResource.getContentFail=Unable to return [{0}] as a byte array
abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2836ac7..b3d0001 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -92,6 +92,10 @@
classloader as the thread context classloader, just like for the JAAS
realm. (remm)
</fix>
+ <add>
+ <bug>64871</bug>: Log a warning if Tomcat blocks access to a file
+ because it uses symlinks. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org