This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
commit 2d47ecf17f23593fd18c3285467531ff5e1545e8
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Thu Jun 27 17:25:49 2024 +0100
Complete fixes for BZ 69135 - prevent escape from /META-INF/tags/
---
.../apache/jasper/compiler/ParserController.java | 12 ++++++++
.../jasper/resources/LocalStrings.properties | 1 +
.../apache/jasper/TestJspCompilationContext.java | 32 +++++++++++++++++++++
test/webapp/WEB-INF/lib/bug69135-lib.jar | Bin 7365 -> 7366 bytes
.../bug6nnnn/bug69135-invalid-jar-escape.jsp | 18 ++++++++++++
test/webapp/bug6nnnn/bug69135-invalid-jar.jsp | 18 ++++++++++++
webapps/docs/changelog.xml | 16 +++++++++++
7 files changed, 97 insertions(+)
diff --git a/java/org/apache/jasper/compiler/ParserController.java
b/java/org/apache/jasper/compiler/ParserController.java
index 1b92d60b98..b35f58331d 100644
--- a/java/org/apache/jasper/compiler/ParserController.java
+++ b/java/org/apache/jasper/compiler/ParserController.java
@@ -43,6 +43,7 @@ import org.xml.sax.Attributes;
class ParserController implements TagConstants {
private static final String CHARSET = "charset=";
+ private static final String TAGS_IN_JAR_LOCATION = "/META-INF/tags/";
private final JspCompilationContext ctxt;
private final Compiler compiler;
@@ -186,6 +187,7 @@ class ParserController implements TagConstants {
* @param jar The JAR file from which to read the JSP page or tag file,
* or null if the JSP page or tag file is to be read from the filesystem
*/
+ @SuppressWarnings("null") // jar can't be null if processingTagInJar is
true
private Node.Nodes doParse(String inFileName, Node parent, Jar jar)
throws FileNotFoundException, JasperException, IOException {
@@ -194,7 +196,17 @@ class ParserController implements TagConstants {
isBomPresent = false;
isDefaultPageEncoding = false;
+ boolean processingTagInJar = jar != null && baseDirStack.peekFirst()
!= null &&
+ baseDirStack.peekFirst().startsWith(TAGS_IN_JAR_LOCATION);
String absFileName = resolveFileName(inFileName);
+ if (processingTagInJar &&
!absFileName.startsWith(TAGS_IN_JAR_LOCATION)) {
+ /*
+ * An included file is being parsed that was included from the
standard location for tag files in JAR but
+ * tries to escape that location to either somewhere in the JAR
not under the standard location or outside
+ * of the JAR. Neither of these are permitted.
+ */
+ err.jspError("jsp.error.invalid.includeInTagFileJar", inFileName,
jar.getJarFileURL().toString());
+ }
String jspConfigPageEnc = getJspConfigPageEncoding(absFileName);
// Figure out what type of JSP document and encoding type we are
diff --git a/java/org/apache/jasper/resources/LocalStrings.properties
b/java/org/apache/jasper/resources/LocalStrings.properties
index 8fec3e4fa9..65f8feb76b 100644
--- a/java/org/apache/jasper/resources/LocalStrings.properties
+++ b/java/org/apache/jasper/resources/LocalStrings.properties
@@ -90,6 +90,7 @@ jsp.error.invalid.directive=Invalid directive
jsp.error.invalid.expression=[{0}] contains invalid expression(s): [{1}]
jsp.error.invalid.implicit=Invalid implicit TLD for tag file at [{0}]
jsp.error.invalid.implicit.version=Invalid JSP version defined in implicit TLD
for tag file at [{0}]
+jsp.error.invalid.includeInTagFileJar=The include [{0}] is not valid since it
is outside of /META-INF/tags in the current JAR
jsp.error.invalid.name=File [{0}] uses name [{1}] in jsp:getProperty for a
bean that was not previously introduced as per JSP.5.3
jsp.error.invalid.scope=Illegal value of ''scope'' attribute: [{0}] (must be
one of "page", "request", "session", or "application")
jsp.error.invalid.tagdir=Tag file directory [{0}] does not start with
"/WEB-INF/tags"
diff --git a/test/org/apache/jasper/TestJspCompilationContext.java
b/test/org/apache/jasper/TestJspCompilationContext.java
index bfd1671132..126fc16e76 100644
--- a/test/org/apache/jasper/TestJspCompilationContext.java
+++ b/test/org/apache/jasper/TestJspCompilationContext.java
@@ -93,4 +93,36 @@ public class TestJspCompilationContext extends
TomcatBaseTest {
// Resource relative include (does not start with "/")
Assert.assertTrue(body.toString(), body.toString().contains("01 -
OK"));
}
+
+
+ /*
+ * Test case for https://bz.apache.org/bugzilla/show_bug.cgi?id=69135
+ */
+ @Test
+ public void testTagFileInJarIncludesInvalidJar() throws Exception {
+ getTomcatInstanceTestWebapp(false, true);
+
+ ByteChunk body = new ByteChunk();
+
+ int rc = getUrl("http://localhost:"; + getPort() +
+ "/test/bug6nnnn/bug69135-invalid-jar.jsp", body, null);
+
+ Assert.assertEquals(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, rc);
+ }
+
+
+ /*
+ * Test case for https://bz.apache.org/bugzilla/show_bug.cgi?id=69135
+ */
+ @Test
+ public void testTagFileInJarIncludesInvalidJarEscape() throws Exception {
+ getTomcatInstanceTestWebapp(false, true);
+
+ ByteChunk body = new ByteChunk();
+
+ int rc = getUrl("http://localhost:"; + getPort() +
+ "/test/bug6nnnn/bug69135-invalid-jar-escape.jsp", body, null);
+
+ Assert.assertEquals(HttpServletResponse.SC_INTERNAL_SERVER_ERROR, rc);
+ }
}
diff --git a/test/webapp/WEB-INF/lib/bug69135-lib.jar
b/test/webapp/WEB-INF/lib/bug69135-lib.jar
index 9080642316..d10fd19ad3 100644
Binary files a/test/webapp/WEB-INF/lib/bug69135-lib.jar and
b/test/webapp/WEB-INF/lib/bug69135-lib.jar differ
diff --git a/test/webapp/bug6nnnn/bug69135-invalid-jar-escape.jsp
b/test/webapp/bug6nnnn/bug69135-invalid-jar-escape.jsp
new file mode 100644
index 0000000000..06dec33508
--- /dev/null
+++ b/test/webapp/bug6nnnn/bug69135-invalid-jar-escape.jsp
@@ -0,0 +1,18 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--%>
+<%@ taglib uri="http://tomcat.apache.org/bug69135-invalid-jar-escape-lib";
prefix="bz69135" %>
+<bz69135:relative-invalid-jar-escape index="01" />
\ No newline at end of file
diff --git a/test/webapp/bug6nnnn/bug69135-invalid-jar.jsp
b/test/webapp/bug6nnnn/bug69135-invalid-jar.jsp
new file mode 100644
index 0000000000..d66f6b6b92
--- /dev/null
+++ b/test/webapp/bug6nnnn/bug69135-invalid-jar.jsp
@@ -0,0 +1,18 @@
+<%--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+--%>
+<%@ taglib uri="http://tomcat.apache.org/bug69135-invalid-jar-lib";
prefix="bz69135" %>
+<bz69135:relative-invalid-jar index="01" />
\ No newline at end of file
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 8cb9bdcf50..c4472630dd 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -182,6 +182,22 @@
a warning will be logged and the default will used.
(markt)
</add>
+ <fix>
+ <bug>69135</bug>: When using include directives in a tag file packaged
+ in a JAR file, ensure that context relative includes are processed
+ correctly. (markt)
+ </fix>
+ <fix>
+ <bug>69135</bug>: When using include directives in a tag file packaged
+ in a JAR file, ensure that file relative includes are processed
+ correctly. (markt)
+ </fix>
+ <fix>
+ <bug>69135</bug>: When using include directives in a tag file packaged
+ in a JAR file, ensure that file relative includes are are not permitted
+ to access files outside of the <code>/META_INF/tags/</code> directory
+ nor outside of the JAR file. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Web applications">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
