On Wed, Feb 19, 2025 at 7:15 PM Mark Thomas <ma...@apache.org> wrote: > > All, > > A case sensitivity test was added to DirResourceSet as part of the fix > for CVE-2024-50379. It is also used to check whether the JVM setting > described in CVE-2024-56337 is required. > > The current case sensitivity check is imperfect. Things are complicated by: > - Windows introducing per directory case sensitivity > - Linux not returning the actual case in getCanonicalPath() when a case > insensitive file system is mounted > - not wanting to have to create files to test case sensitivity > > All of these complications are unlikely edge cases but they do exist.
It's more than unlikely, it's clear it's not going to happen. I don't think we can chase down every misconfiguration ... > I am beginning to think that the simplest and most robust solution is to > remove the case sensitivity test and just keep the code paths for case > insensitive file systems. > > The impact of that should be: > - users on Linux may see CVE-2024-56337 warnings unnecessarily > - users on Linux with write enabled may see a marginal performance > impact if users try writing to and reading from files concurrently > that differ only by case +1 > The users seeing CVE-2024-56337 will likely be embedded users and I have > a couple of ideas there since I'm getting reports via $work the most > recent releases fixed the issue on Linux but not Windows nor MacOS. > > I'll follow up on that (probably tomorrow) once I have had a chat with > folks at $work as any fix is unlikely to be just in Tomcat. Ok. Rémy > Mark > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
