You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/20 12:52:48 UTC
svn commit: r1809025 - in /tomcat/trunk:
java/org/apache/catalina/webresources/DirResourceSet.java
test/org/apache/catalina/webresources/AbstractTestResourceSet.java
webapps/docs/changelog.xml
Author: markt
Date: Wed Sep 20 12:52:47 2017
New Revision: 1809025
URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
Log:
Partial fix for CVE-2017-12617
This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.
Modified:
tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java Wed Sep 20 12:52:47 2017
@@ -217,6 +217,12 @@ public class DirResourceSet extends Abst
return false;
}
+ // write() is meant to create a file so ensure that the path doesn't
+ // end in '/'
+ if (path.endsWith("/")) {
+ return false;
+ }
+
File dest = null;
String webAppMount = getWebAppMount();
if (path.startsWith(webAppMount)) {
Modified: tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java (original)
+++ tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java Wed Sep 20 12:52:47 2017
@@ -447,14 +447,8 @@ public abstract class AbstractTestResour
public final void testWriteDirB() {
WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
InputStream is = new ByteArrayInputStream("test".getBytes());
- if (d1.exists()) {
+ if (d1.exists() || d1.isVirtual()) {
Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false));
- } else if (d1.isVirtual()) {
- Assert.assertTrue(resourceRoot.write(
- getMount() + "/d1/", is, false));
- File file = new File(getBaseDir(), "d1");
- Assert.assertTrue(file.exists());
- Assert.assertTrue(file.delete());
} else {
Assert.fail("Unhandled condition in unit test");
}
@@ -490,6 +484,14 @@ public abstract class AbstractTestResour
}
}
+ @Test
+ public final void testWriteWithTrailingSlash() {
+ String newFileName = getNewFileName() + "/";
+ InputStream is = new ByteArrayInputStream("test".getBytes());
+ Assert.assertFalse(resourceRoot.write(
+ getMount() + "/" + newFileName, is, false));
+ }
+
protected abstract String getNewFileName();
// ------------------------------------------------------ getCanonicalPath()
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Sep 20 12:52:47 2017
@@ -45,6 +45,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+ uploaded via a specially crafted request when HTTP PUT was enabled.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1809025 - in /tomcat/trunk:
java/org/apache/catalina/webresources/DirResourceSet.java
test/org/apache/catalina/webresources/AbstractTestResourceSet.java
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
On 20/09/17 14:04, Mark Thomas wrote:
> On 20/09/17 13:52, markt@apache.org wrote:
>> Author: markt
>> Date: Wed Sep 20 12:52:47 2017
>> New Revision: 1809025
>>
>> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
>> Log:
>> Partial fix for CVE-2017-12617
>> This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.
>
> I think the fix for 9.0.x is complete but I want to do some more testing
> around the edge cases to make sure. Additional testing welcome.
>
> Once we are satisfied the fix is complete, I'll start back-porting.
I've done some testing to see how Windows behaves with all possible
characters at the end of a file name.
The behaviour falls into 1 of four options:
a) getCanonicalPath() throws an IOException
b) getCanonicalPath() != getAbsolutePath()
c) getCanonicalPath() == getAbsolutePath() and the file name is
unaltered from that provided.
d) getCanonicalPath() == getAbsolutePath() but the file name is
unaltered from that provided.
The only characters that trigger d) are '/' and '\'.
Before today, cases a), b) and c) were handled correctly.
On Windows '\' is always converted to '/' so only '/' needs to be handled.
The patches I made today handle '/' so I believe that the fix is complete.
An extra pair of eyes or two on the proposed patch and the thinking
above would be appreciated.
At this point, I'm thinking back-port tomorrow morning and then tag and
release.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
Re: svn commit: r1809025 - in /tomcat/trunk:
java/org/apache/catalina/webresources/DirResourceSet.java
test/org/apache/catalina/webresources/AbstractTestResourceSet.java
webapps/docs/changelog.xml
Posted by Mark Thomas <ma...@apache.org>.
On 20/09/17 13:52, markt@apache.org wrote:
> Author: markt
> Date: Wed Sep 20 12:52:47 2017
> New Revision: 1809025
>
> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
> Log:
> Partial fix for CVE-2017-12617
> This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.
I think the fix for 9.0.x is complete but I want to do some more testing
around the edge cases to make sure. Additional testing welcome.
Once we are satisfied the fix is complete, I'll start back-porting.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org