You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2017/09/21 20:09:32 UTC

svn commit: r1809212 - /tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java

Author: markt
Date: Thu Sep 21 20:09:32 2017
New Revision: 1809212

URL: http://svn.apache.org/viewvc?rev=1809212&view=rev
Log:
Refactor and add additional comments to make intended behaviour clearer.

Modified:
    tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java

Modified: tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java?rev=1809212&r1=1809211&r2=1809212&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/AbstractFileResourceSet.java Thu Sep 21 20:09:32 2017
@@ -65,50 +65,60 @@ public abstract class AbstractFileResour
             return null;
         }
 
-        if (!mustExist || file.canRead()) {
+        // If the file/dir must exist but the identified file/dir can't be read
+        // then signal that the resource was not found
+        if (mustExist && !file.canRead()) {
+            return null;
+        }
 
-            if (getRoot().getAllowLinking()) {
-                return file;
-            }
-
-            // Check that this file is located under the WebResourceSet's base
-            String canPath = null;
-            try {
-                canPath = file.getCanonicalPath();
-            } catch (IOException e) {
-                // Ignore
-            }
-            if (canPath == null)
-                return null;
-
-            if (!canPath.startsWith(canonicalBase)) {
-                return null;
-            }
-
-            // Case sensitivity check
-            // Note: We know the resource is located somewhere under base at
-            //       point. The purpose of this code is to check in a case
-            //       sensitive manner, the path to the resource under base
-            //       agrees with what was requested
-            String absPath = normalize(file.getAbsolutePath());
-            if ((absoluteBase.length() < absPath.length())
-                    && (canonicalBase.length() < canPath.length())) {
-                absPath = absPath.substring(absoluteBase.length() + 1);
-                if (absPath.equals("")) {
-                    absPath = "/";
-                }
-                canPath = canPath.substring(canonicalBase.length() + 1);
-                if (canPath.equals("")) {
-                    canPath = "/";
-                }
-                if (!canPath.equals(absPath)) {
-                    return null;
-                }
-            }
+        // If allow linking is enabled, files are not limited to being located
+        // under the fileBase so all further checks are disabled.
+        if (getRoot().getAllowLinking()) {
+            return file;
+        }
 
-        } else {
+        // Check that this file is located under the WebResourceSet's base
+        String canPath = null;
+        try {
+            canPath = file.getCanonicalPath();
+        } catch (IOException e) {
+            // Ignore
+        }
+        if (canPath == null || !canPath.startsWith(canonicalBase)) {
             return null;
         }
+
+        // Ensure that the file is not outside the fileBase. This should not be
+        // possible for standard requests (the request is normalized early in
+        // the request processing) but might be possible for some access via the
+        // Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
+        // checks are retained as an additional safety measure
+        // absoluteBase has been normalized so absPath needs to normalized as
+        // well.
+        String absPath = normalize(file.getAbsolutePath());
+        if (absoluteBase.length() > absPath.length() ||
+                canonicalBase.length() > canPath.length()) {
+            return null;
+        }
+
+        // Remove the fileBase location from the start of the paths since that
+        // was not part of the requested path and the remaining check only
+        // applies to the request path
+        absPath = absPath.substring(absoluteBase.length());
+        canPath = canPath.substring(canonicalBase.length());
+
+        // Case sensitivity check
+        // The normalized requested path should be an exact match the equivalent
+        // canonical path. If it is not, possible reasons include:
+        // - case differences on case insensitive file systems
+        // - Windows removing a trailing ' ' or '.' from the file name
+        //
+        // In all cases, a mis-match here results in the resource not being
+        // found
+        if (!canPath.equals(absPath)) {
+            return null;
+        }
+
         return file;
     }
 



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org