You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/20 12:52:48 UTC

svn commit: r1809025 - in /tomcat/trunk: java/org/apache/catalina/webresources/DirResourceSet.java test/org/apache/catalina/webresources/AbstractTestResourceSet.java webapps/docs/changelog.xml

Author: markt
Date: Wed Sep 20 12:52:47 2017
New Revision: 1809025

URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
Log:
Partial fix for CVE-2017-12617
This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.

Modified:
    tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
    tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java Wed Sep 20 12:52:47 2017
@@ -217,6 +217,12 @@ public class DirResourceSet extends Abst
             return false;
         }
 
+        // write() is meant to create a file so ensure that the path doesn't
+        // end in '/'
+        if (path.endsWith("/")) {
+            return false;
+        }
+
         File dest = null;
         String webAppMount = getWebAppMount();
         if (path.startsWith(webAppMount)) {

Modified: tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java (original)
+++ tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java Wed Sep 20 12:52:47 2017
@@ -447,14 +447,8 @@ public abstract class AbstractTestResour
     public final void testWriteDirB() {
         WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
         InputStream is = new ByteArrayInputStream("test".getBytes());
-        if (d1.exists()) {
+        if (d1.exists() || d1.isVirtual()) {
             Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false));
-        } else if (d1.isVirtual()) {
-            Assert.assertTrue(resourceRoot.write(
-                    getMount() + "/d1/", is, false));
-            File file = new File(getBaseDir(), "d1");
-            Assert.assertTrue(file.exists());
-            Assert.assertTrue(file.delete());
         } else {
             Assert.fail("Unhandled condition in unit test");
         }
@@ -490,6 +484,14 @@ public abstract class AbstractTestResour
         }
     }
 
+    @Test
+    public final void testWriteWithTrailingSlash() {
+        String newFileName = getNewFileName() + "/";
+        InputStream is = new ByteArrayInputStream("test".getBytes());
+        Assert.assertFalse(resourceRoot.write(
+                getMount() + "/" + newFileName, is, false));
+    }
+
     protected abstract String getNewFileName();
 
     // ------------------------------------------------------ getCanonicalPath()

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Sep 20 12:52:47 2017
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <add>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1809025 - in /tomcat/trunk: java/org/apache/catalina/webresources/DirResourceSet.java test/org/apache/catalina/webresources/AbstractTestResourceSet.java webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

On 20/09/17 14:04, Mark Thomas wrote:
> On 20/09/17 13:52, markt@apache.org wrote:
>> Author: markt
>> Date: Wed Sep 20 12:52:47 2017
>> New Revision: 1809025
>>
>> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
>> Log:
>> Partial fix for CVE-2017-12617
>> This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.
> 
> I think the fix for 9.0.x is complete but I want to do some more testing
> around the edge cases to make sure. Additional testing welcome.
> 
> Once we are satisfied the fix is complete, I'll start back-porting.

I've done some testing to see how Windows behaves with all possible
characters at the end of a file name.

The behaviour falls into 1 of four options:
a) getCanonicalPath() throws an IOException
b) getCanonicalPath() != getAbsolutePath()
c) getCanonicalPath() == getAbsolutePath() and the file name is
   unaltered from that provided.
d) getCanonicalPath() == getAbsolutePath() but the file name is
   unaltered from that provided.

The only characters that trigger d) are '/' and '\'.

Before today, cases a), b) and c) were handled correctly.

On Windows '\' is always converted to '/' so only '/' needs to be handled.

The patches I made today handle '/' so I believe that the fix is complete.

An extra pair of eyes or two on the proposed patch and the thinking
above would be appreciated.

At this point, I'm thinking back-port tomorrow morning and then tag and
release.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

Re: svn commit: r1809025 - in /tomcat/trunk: java/org/apache/catalina/webresources/DirResourceSet.java test/org/apache/catalina/webresources/AbstractTestResourceSet.java webapps/docs/changelog.xml

Posted by Mark Thomas <ma...@apache.org>.

On 20/09/17 13:52, markt@apache.org wrote:
> Author: markt
> Date: Wed Sep 20 12:52:47 2017
> New Revision: 1809025
> 
> URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
> Log:
> Partial fix for CVE-2017-12617
> This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.

I think the fix for 9.0.x is complete but I want to do some more testing
around the edge cases to make sure. Additional testing welcome.

Once we are satisfied the fix is complete, I'll start back-porting.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org