This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/9.0.x by this push:
new 4111137da8 More accurate check for WEB-INF and META-INF
4111137da8 is described below
commit 4111137da8712add015a4193da0f7d4d9248941e
Author: remm <r...@apache.org>
AuthorDate: Wed Jan 15 10:42:11 2025 +0100
More accurate check for WEB-INF and META-INF
Remove redundant checks already done in service().
Avoid ISE with invalid paths in the if header.
Based on a patch submitted by Chenjp.
---
.../apache/catalina/servlets/WebdavServlet.java | 26 ++++++++++------------
webapps/docs/changelog.xml | 4 ++++
2 files changed, 16 insertions(+), 14 deletions(-)
diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 0579b0a1ef..e97410f1f5 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -609,6 +609,10 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
if (hrefs.hasNext()) {
currentHref = hrefs.next();
currentPath = getPathFromHref(currentHref, request);
+ if (currentPath == null) {
+ // The path was invalid
+ return false;
+ }
currentWebResource = resources.getResource(currentPath);
} else {
currentPath = path;
@@ -804,12 +808,6 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
String path = getRelativePath(req);
- // Exclude any resource in the /WEB-INF and /META-INF subdirectories
- if (isSpecialPath(path)) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return;
- }
-
// Properties which are to be displayed.
List<Node> properties = new ArrayList<>();
// Propfind depth
@@ -1196,12 +1194,6 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
String path = getRelativePath(req);
- // Exclude any resource in the /WEB-INF and /META-INF subdirectories
- if (isSpecialPath(path)) {
- resp.sendError(WebdavStatus.SC_FORBIDDEN);
- return;
- }
-
WebResource resource = resources.getResource(path);
if (!checkIfHeaders(req, resp, resource)) {
resp.setStatus(HttpServletResponse.SC_PRECONDITION_FAILED);
@@ -1851,8 +1843,14 @@ public class WebdavServlet extends DefaultServlet
implements PeriodicEventListen
* @return <code>true</code> if the resource specified is under a special
path
*/
private boolean isSpecialPath(final String path) {
- return !allowSpecialPaths &&
(path.toUpperCase(Locale.ENGLISH).startsWith("/WEB-INF") ||
- path.toUpperCase(Locale.ENGLISH).startsWith("/META-INF"));
+ if (!allowSpecialPaths) {
+ String upperCasePath = path.toUpperCase(Locale.ENGLISH);
+ if (upperCasePath.startsWith("/WEB-INF/") ||
upperCasePath.startsWith("/META-INF/")
+ || upperCasePath.equals("/WEB-INF") ||
upperCasePath.equals("/META-INF")) {
+ return true;
+ }
+ }
+ return false;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 113945e462..4c54b39903 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -136,6 +136,10 @@
<code>bloom</code> <code>archiveIndexStrategy</code> of the
<code>Resources</code>. (remm)
</fix>
+ <fix>
+ Improve checks for <code>WEB-INF</code> and <code>META-INF</code> in
+ the WebDAV servlet. Based on a patch submitted by Chenjp. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
