All,
A case sensitivity test was added to DirResourceSet as part of the fix
for CVE-2024-50379. It is also used to check whether the JVM setting
described in CVE-2024-56337 is required.
The current case sensitivity check is imperfect. Things are complicated by:
- Windows introducing per directory case sensitivity
- Linux not returning the actual case in getCanonicalPath() when a case
insensitive file system is mounted
- not wanting to have to create files to test case sensitivity
All of these complications are unlikely edge cases but they do exist.
I am beginning to think that the simplest and most robust solution is to
remove the case sensitivity test and just keep the code paths for case
insensitive file systems.
The impact of that should be:
- users on Linux may see CVE-2024-56337 warnings unnecessarily
- users on Linux with write enabled may see a marginal performance
impact if users try writing to and reading from files concurrently
that differ only by case
The users seeing CVE-2024-56337 will likely be embedded users and I have
a couple of ideas there since I'm getting reports via $work the most
recent releases fixed the issue on Linux but not Windows nor MacOS.
I'll follow up on that (probably tomorrow) once I have had a chat with
folks at $work as any fix is unlikely to be just in Tomcat.
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
