Status update

[Mark Thomas <ma...@apache.org>]

I believe CVE-2017-12617 is addressed in 9.0.x

The file() method has been reviewed by kkolinko and remm and I have
implemented their comments. I have also refactored the method and added
comments to make the intended behaviour clearer.

It is possible that there is scope to optimise some of the checks
further but I think we should consider them in slower time rather than
risk making a quick decision now only to introduce a regression that
could have security implications.

I'd like to give folks a chance to review the 9.0.x changes again before
back-porting so, assuming positive reviews, I intend to back-port tomorrow.

I plan to use the time between now and starting the back-ports to check
9.0.x against the published Servlet 4.0 API with a view to the next
9.0.x vote including both beta and stable as options (assuming our
implementation matches the Servlet 4.0 API).

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org