This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/8.5.x by this push:
new e9480cd Fix BZ 65397 - skip symlinks in getResourcePaths() results
e9480cd is described below
commit e9480cd8361f1dc60e89b5548202b33e334c0f44
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 24 16:00:21 2021 +0100
Fix BZ 65397 - skip symlinks in getResourcePaths() results
Calls to ServletContext.getResourcePaths() no longer include symbolic
links in the results unless allowLinking has been set to true. If a
resource is skipped because of this change, a warning will be logged as
this typically indicates a configuration issue.
https://bz.apache.org/bugzilla/show_bug.cgi?id=65397
---
.../webresources/AbstractFileResourceSet.java | 20 +++++++++++--------
.../catalina/webresources/DirResourceSet.java | 23 ++++++++++++++++++++++
webapps/docs/changelog.xml | 8 ++++++++
3 files changed, 43 insertions(+), 8 deletions(-)
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index 59fc771..3930a90 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -136,14 +136,7 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
// Typically means symlinks are in use but being ignored. Given
// the symlink was likely created for a reason, log a warning
// that it was ignored.
- String msg =
sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
- getRoot().getContext().getName(), absPath, canPath);
- // Log issues with configuration files at a higher level
- if(absPath.startsWith("/META-INF/") ||
absPath.startsWith("/WEB-INF/")) {
- log.error(msg);
- } else {
- log.warn(msg);
- }
+ logIgnoredSymlink(getRoot().getContext().getName(), absPath,
canPath);
}
return null;
}
@@ -152,6 +145,17 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
}
+ protected void logIgnoredSymlink(String contextPath, String absPath,
String canPath) {
+ String msg =
sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+ contextPath, absPath, canPath);
+ // Log issues with configuration files at a higher level
+ if(absPath.startsWith("/META-INF/") ||
absPath.startsWith("/WEB-INF/")) {
+ log.error(msg);
+ } else {
+ log.warn(msg);
+ }
+ }
+
private boolean isInvalidWindowsFilename(String name) {
final int len = name.length();
if (len == 0) {
diff --git a/java/org/apache/catalina/webresources/DirResourceSet.java
b/java/org/apache/catalina/webresources/DirResourceSet.java
index 234dc74..354ca90 100644
--- a/java/org/apache/catalina/webresources/DirResourceSet.java
+++ b/java/org/apache/catalina/webresources/DirResourceSet.java
@@ -157,6 +157,29 @@ public class DirResourceSet extends
AbstractFileResourceSet {
File[] list = f.listFiles();
if (list != null) {
for (File entry : list) {
+ // f has already been validated so the following checks
+ // can be much simpler than those in file()
+ if (!getRoot().getAllowLinking()) {
+ // allow linking is disabled so need to check for
+ // symlinks
+ boolean symlink = true;
+ String absPath = null;
+ String canPath = null;
+ try {
+ absPath = entry.getAbsolutePath();
+ canPath = entry.getCanonicalPath();
+ if (absPath.equals(canPath)) {
+ symlink = false;
+ }
+ } catch (IOException ioe) {
+ // Ignore the exception. Assume we have a
symlink.
+ canPath = "Unknown";
+ }
+ if (symlink) {
+
logIgnoredSymlink(getRoot().getContext().getName(), absPath, canPath);
+ continue;
+ }
+ }
StringBuilder sb = new StringBuilder(path);
if (path.charAt(path.length() - 1) != '/') {
sb.append('/');
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index c088a2f..96e1190 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -115,6 +115,14 @@
Fix serialization warnings in <code>UserDatabasePrincipal</code>
reported by SpotBugs. (markt)
</fix>
+ <fix>
+ <bug>65397</bug>: Calls to
+ <code>ServletContext.getResourcePaths()</code> no longer include
+ symbolic links in the results unless <code>allowLinking</code> has been
+ set to <code>true</code>. If a resource is skipped because of this
+ change, a warning will be logged as this typically indicates a
+ configuration issue. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
