Author: markt Date: Wed Sep 20 12:52:47 2017 New Revision: 1809025 URL: http://svn.apache.org/viewvc?rev=1809025&view=rev Log: Partial fix for CVE-2017-12617 This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API.
Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java tomcat/trunk/webapps/docs/changelog.xml Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java (original) +++ tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java Wed Sep 20 12:52:47 2017 @@ -217,6 +217,12 @@ public class DirResourceSet extends Abst return false; } + // write() is meant to create a file so ensure that the path doesn't + // end in '/' + if (path.endsWith("/")) { + return false; + } + File dest = null; String webAppMount = getWebAppMount(); if (path.startsWith(webAppMount)) { Modified: tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java URL: http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff ============================================================================== --- tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java (original) +++ tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java Wed Sep 20 12:52:47 2017 @@ -447,14 +447,8 @@ public abstract class AbstractTestResour public final void testWriteDirB() { WebResource d1 = resourceRoot.getResource(getMount() + "/d1/"); InputStream is = new ByteArrayInputStream("test".getBytes()); - if (d1.exists()) { + if (d1.exists() || d1.isVirtual()) { Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false)); - } else if (d1.isVirtual()) { - Assert.assertTrue(resourceRoot.write( - getMount() + "/d1/", is, false)); - File file = new File(getBaseDir(), "d1"); - Assert.assertTrue(file.exists()); - Assert.assertTrue(file.delete()); } else { Assert.fail("Unhandled condition in unit test"); } @@ -490,6 +484,14 @@ public abstract class AbstractTestResour } } + @Test + public final void testWriteWithTrailingSlash() { + String newFileName = getNewFileName() + "/"; + InputStream is = new ByteArrayInputStream("test".getBytes()); + Assert.assertFalse(resourceRoot.write( + getMount() + "/" + newFileName, is, false)); + } + protected abstract String getNewFileName(); // ------------------------------------------------------ getCanonicalPath() Modified: tomcat/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809025&r1=1809024&r2=1809025&view=diff ============================================================================== --- tomcat/trunk/webapps/docs/changelog.xml (original) +++ tomcat/trunk/webapps/docs/changelog.xml Wed Sep 20 12:52:47 2017 @@ -45,6 +45,15 @@ issues do not "pop up" wrt. others). --> <section name="Tomcat 9.0.0.M28 (markt)" rtext="in development"> + <subsection name="Catalina"> + <changelog> + <fix> + <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being + uploaded via a specially crafted request when HTTP PUT was enabled. + (markt) + </fix> + </changelog> + </subsection> <subsection name="Coyote"> <changelog> <add> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org