You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2018/06/30 20:40:20 UTC

svn commit: r1834763 - in /tomcat/tc7.0.x/trunk: java/org/apache/naming/resources/VirtualDirContext.java test/org/apache/naming/resources/TestVirtualDirContext.java webapps/docs/changelog.xml

Author: markt
Date: Sat Jun 30 20:40:20 2018
New Revision: 1834763

URL: http://svn.apache.org/viewvc?rev=1834763&view=rev
Log:
Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=62498
Correct a regression in the fix for CVE-2017-12617 that caused request failures for some requests when using the VirtualDirContext.

Added:
    tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java   (with props)
Modified:
    tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java
    tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java?rev=1834763&r1=1834762&r2=1834763&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java (original)
+++ tomcat/tc7.0.x/trunk/java/org/apache/naming/resources/VirtualDirContext.java Sat Jun 30 20:40:20 2018
@@ -212,7 +212,8 @@ public class VirtualDirContext extends F
                     }
                 }
             }
-            if (name.startsWith(path + "/")) {
+            path += "/";
+            if (name.startsWith(path)) {
                 String res = name.substring(path.length());
                 for (String resourcesDir : dirList) {
                     file = new File(resourcesDir, res);

Added: tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java?rev=1834763&view=auto
==============================================================================
--- tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java (added)
+++ tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java Sat Jun 30 20:40:20 2018
@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.io.File;
+
+import javax.naming.NamingException;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.startup.LoggingBaseTest;
+
+public class TestVirtualDirContext {
+
+    @Test
+    public void testBug62498() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f1 = vdc.file("");
+        Assert.assertNotNull(f1);
+        File f2 = vdc.file("/");
+        Assert.assertNotNull(f2);
+        Assert.assertEquals(f1.getAbsolutePath(), f2.getAbsolutePath());
+
+        Object obj1 = vdc.lookup("");
+        Assert.assertTrue(obj1 instanceof FileDirContext);
+        Object obj2 = vdc.lookup("/");
+        Assert.assertTrue(obj2 instanceof FileDirContext);
+        Assert.assertEquals(((FileDirContext) obj1).absoluteBase, ((FileDirContext) obj2).absoluteBase);
+    }
+
+
+    @Test
+    public void testBug62498a() {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f1 = vdc.file("");
+        Assert.assertNotNull(f1);
+    }
+
+
+    @Test
+    public void testBug62498b() {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f2 = vdc.file("/");
+        Assert.assertNotNull(f2);
+    }
+
+
+    @Test
+    public void testBug62498c() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        Object obj1 = vdc.lookup("");
+        Assert.assertTrue(obj1 instanceof FileDirContext);
+    }
+
+
+    @Test
+    public void testBug62498d() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        Object obj2 = vdc.lookup("/");
+        Assert.assertTrue(obj2 instanceof FileDirContext);
+    }
+}

Propchange: tomcat/tc7.0.x/trunk/test/org/apache/naming/resources/TestVirtualDirContext.java
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1834763&r1=1834762&r2=1834763&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sat Jun 30 20:40:20 2018
@@ -58,6 +58,13 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 7.0.90 (violetagg)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>62498</fix>: Correct a regression in the fix for CVE-2017-12617 that
+      caused request failures for some requests when using the
+      <code>VirtualDirContext</code>. (markt)
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 7.0.89 (violetagg)">
   <subsection name="Catalina">



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org