You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2021/07/05 13:18:32 UTC

[Bug 65433] New: Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths

https://bz.apache.org/bugzilla/show_bug.cgi?id=65433

            Bug ID: 65433
           Summary: Possible StringIndexOutOfBoundsException for symlinks
                    in DirResourceSet.listWebAppPaths
           Product: Tomcat 9
           Version: 9.0.50
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: c_igaly@yahoo.co.uk
  Target Milestone: -----

Created attachment 37944
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=37944&action=edit
Patch to fix bug

When entry is symbolic link outside of parent directory, it is possible that
its cannonical path will be shorter than parent's cannonical path. In that case
attempt to evaluate expression

canPath = entry.getCanonicalPath().substring(f.getCanonicalPath().length());

will end in throwing java.lang.StringIndexOutOfBoundsException.

Suggested solution is to compare lengths begore evaluation. 

It is possible that this problem is also present elsewhere.

Same problem will affect 10.0.x and 8.5.x branches as well.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65433] Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65433

Cedomir Igaly <c_...@yahoo.co.uk> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |c_igaly@yahoo.co.uk

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65433] Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65433

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #1 from Mark Thomas <ma...@apache.org> ---
Thanks for the report and the patch.

Fixed in:
- 10.1.x for 10.1.0-M3 onwards
- 10.0.x for 10.0.9 onwards
- 9.0.x for 9.0.51 onwards
- 8.5.x for 8.5.70 onwards

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65433] Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65433

--- Comment #2 from Martin Knoblauch <kn...@knobisoft.de> ---
FWIW: I can confirm that the fix solves my observed problems as well

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 65433] Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths

Posted by bu...@apache.org.

https://bz.apache.org/bugzilla/show_bug.cgi?id=65433

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kryadov@gmail.com

--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
*** Bug 65637 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org