Author: markt
Date: Wed Sep 20 12:52:47 2017
New Revision: 1809025

URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
Log:
Partial fix for CVE-2017-12617
This ensures that a path specified for creation of a file does not end in '/' 
since that is dropped by the File API.

Modified:
    tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
    
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
    tomcat/trunk/webapps/docs/changelog.xml

Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java 
(original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java Wed 
Sep 20 12:52:47 2017
@@ -217,6 +217,12 @@ public class DirResourceSet extends Abst
             return false;
         }
 
+        // write() is meant to create a file so ensure that the path doesn't
+        // end in '/'
+        if (path.endsWith("/")) {
+            return false;
+        }
+
         File dest = null;
         String webAppMount = getWebAppMount();
         if (path.startsWith(webAppMount)) {

Modified: 
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- 
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java 
(original)
+++ 
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java 
Wed Sep 20 12:52:47 2017
@@ -447,14 +447,8 @@ public abstract class AbstractTestResour
     public final void testWriteDirB() {
         WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
         InputStream is = new ByteArrayInputStream("test".getBytes());
-        if (d1.exists()) {
+        if (d1.exists() || d1.isVirtual()) {
             Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, 
false));
-        } else if (d1.isVirtual()) {
-            Assert.assertTrue(resourceRoot.write(
-                    getMount() + "/d1/", is, false));
-            File file = new File(getBaseDir(), "d1");
-            Assert.assertTrue(file.exists());
-            Assert.assertTrue(file.delete());
         } else {
             Assert.fail("Unhandled condition in unit test");
         }
@@ -490,6 +484,14 @@ public abstract class AbstractTestResour
         }
     }
 
+    @Test
+    public final void testWriteWithTrailingSlash() {
+        String newFileName = getNewFileName() + "/";
+        InputStream is = new ByteArrayInputStream("test".getBytes());
+        Assert.assertFalse(resourceRoot.write(
+                getMount() + "/" + newFileName, is, false));
+    }
+
     protected abstract String getNewFileName();
 
     // ------------------------------------------------------ 
getCanonicalPath()

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Sep 20 12:52:47 2017
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <add>



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to