Author: markt
Date: Wed Sep 20 12:52:47 2017
New Revision: 1809025
URL: http://svn.apache.org/viewvc?rev=1809025&view=rev
Log:
Partial fix for CVE-2017-12617
This ensures that a path specified for creation of a file does not end in '/'
since that is dropped by the File API.
Modified:
tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
tomcat/trunk/webapps/docs/changelog.xml
Modified: tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java
(original)
+++ tomcat/trunk/java/org/apache/catalina/webresources/DirResourceSet.java Wed
Sep 20 12:52:47 2017
@@ -217,6 +217,12 @@ public class DirResourceSet extends Abst
return false;
}
+ // write() is meant to create a file so ensure that the path doesn't
+ // end in '/'
+ if (path.endsWith("/")) {
+ return false;
+ }
+
File dest = null;
String webAppMount = getWebAppMount();
if (path.startsWith(webAppMount)) {
Modified:
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
URL:
http://svn.apache.org/viewvc/tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
---
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
(original)
+++
tomcat/trunk/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
Wed Sep 20 12:52:47 2017
@@ -447,14 +447,8 @@ public abstract class AbstractTestResour
public final void testWriteDirB() {
WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
InputStream is = new ByteArrayInputStream("test".getBytes());
- if (d1.exists()) {
+ if (d1.exists() || d1.isVirtual()) {
Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is,
false));
- } else if (d1.isVirtual()) {
- Assert.assertTrue(resourceRoot.write(
- getMount() + "/d1/", is, false));
- File file = new File(getBaseDir(), "d1");
- Assert.assertTrue(file.exists());
- Assert.assertTrue(file.delete());
} else {
Assert.fail("Unhandled condition in unit test");
}
@@ -490,6 +484,14 @@ public abstract class AbstractTestResour
}
}
+ @Test
+ public final void testWriteWithTrailingSlash() {
+ String newFileName = getNewFileName() + "/";
+ InputStream is = new ByteArrayInputStream("test".getBytes());
+ Assert.assertFalse(resourceRoot.write(
+ getMount() + "/" + newFileName, is, false));
+ }
+
protected abstract String getNewFileName();
// ------------------------------------------------------
getCanonicalPath()
Modified: tomcat/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=1809025&r1=1809024&r2=1809025&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Wed Sep 20 12:52:47 2017
@@ -45,6 +45,15 @@
issues do not "pop up" wrt. others).
-->
<section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+ <subsection name="Catalina">
+ <changelog>
+ <fix>
+ <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+ uploaded via a specially crafted request when HTTP PUT was enabled.
+ (markt)
+ </fix>
+ </changelog>
+ </subsection>
<subsection name="Coyote">
<changelog>
<add>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
