This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 1f1dcfc613 Fix BZ 69588 - enable allowLinking to be configured per
ResourceSet
1f1dcfc613 is described below
commit 1f1dcfc61322701cc00c87bde74895e11392fb2a
Author: Mark Thomas <[email protected]>
AuthorDate: Thu Apr 10 14:57:23 2025 +0100
Fix BZ 69588 - enable allowLinking to be configured per ResourceSet
https://bz.apache.org/bugzilla/show_bug.cgi?id=69588
---
java/org/apache/catalina/WebResourceRoot.java | 8 ++++++--
java/org/apache/catalina/WebResourceSet.java | 15 +++++++++++++++
.../webresources/AbstractArchiveResourceSet.java | 19 +++++++++++++++++++
.../webresources/AbstractFileResourceSet.java | 16 +++++++++++++++-
.../apache/catalina/webresources/DirResourceSet.java | 2 +-
.../catalina/webresources/EmptyResourceSet.java | 19 +++++++++++++++++++
webapps/docs/changelog.xml | 6 ++++++
webapps/docs/config/resources.xml | 13 +++++++++++++
8 files changed, 94 insertions(+), 4 deletions(-)
diff --git a/java/org/apache/catalina/WebResourceRoot.java
b/java/org/apache/catalina/WebResourceRoot.java
index e473d53a06..5ad9d66986 100644
--- a/java/org/apache/catalina/WebResourceRoot.java
+++ b/java/org/apache/catalina/WebResourceRoot.java
@@ -21,6 +21,8 @@ import java.net.URL;
import java.util.List;
import java.util.Set;
+import org.apache.catalina.util.ResourceSet;
+
/**
* Represents the complete set of resources for a web application. The
resources for a web application consist of
* multiple ResourceSets and when looking for a Resource, the ResourceSets are
processed in the following order:
@@ -246,14 +248,16 @@ public interface WebResourceRoot extends Lifecycle {
void setContext(Context context);
/**
- * Configure if this resources allow the use of symbolic links.
+ * Configure if this web application allows the use of symbolic links by
default. Individual {@link ResourceSet}s
+ * may override this setting.
*
* @param allowLinking <code>true</code> if symbolic links are allowed.
*/
void setAllowLinking(boolean allowLinking);
/**
- * Determine if this resources allow the use of symbolic links.
+ * Determine if this web application allows the use of symbolic links by
default. Individual {@link ResourceSet}s
+ * may override this setting.
*
* @return <code>true</code> if symbolic links are allowed
*/
diff --git a/java/org/apache/catalina/WebResourceSet.java
b/java/org/apache/catalina/WebResourceSet.java
index 1d2729cfea..231434f9b6 100644
--- a/java/org/apache/catalina/WebResourceSet.java
+++ b/java/org/apache/catalina/WebResourceSet.java
@@ -135,4 +135,19 @@ public interface WebResourceSet extends Lifecycle {
* resources.
*/
void gc();
+
+ /**
+ * Configure if this {@code ResourceSet} allows the use of symbolic links.
+ *
+ * @param allowLinking <code>true</code> if symbolic links are allowed.
+ */
+ void setAllowLinking(boolean allowLinking);
+
+ /**
+ * Determine if this {@code ResourceSet} allows the use of symbolic links.
If {@link #setAllowLinking(boolean)} has
+ * not been called for this instance, the value of {@link
WebResourceRoot#getAllowLinking()} is returned.
+ *
+ * @return <code>true</code> if symbolic links are allowed
+ */
+ boolean getAllowLinking();
}
diff --git
a/java/org/apache/catalina/webresources/AbstractArchiveResourceSet.java
b/java/org/apache/catalina/webresources/AbstractArchiveResourceSet.java
index 0644a8c3d0..4b722a3985 100644
--- a/java/org/apache/catalina/webresources/AbstractArchiveResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractArchiveResourceSet.java
@@ -293,6 +293,25 @@ public abstract class AbstractArchiveResourceSet extends
AbstractResourceSet {
throw new
IllegalArgumentException(sm.getString("abstractArchiveResourceSet.setReadOnlyFalse"));
}
+ /**
+ * {@inheritDoc}
+ * <p>
+ * Calls to this method will be ignored as archives do not allow linking.
+ */
+ @Override
+ public void setAllowLinking(boolean allowLinking) {
+ }
+
+ /**
+ * {@inheritDoc}
+ * <p>
+ * Calls to this method always return {@code false} as archives do not
allow linking.
+ */
+ @Override
+ public boolean getAllowLinking() {
+ return false;
+ }
+
protected JarFile openJarFile() throws IOException {
synchronized (archiveLock) {
if (archive == null) {
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index 25512080ea..3edfb5551b 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -37,6 +37,7 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
private String absoluteBase;
private String canonicalBase;
private boolean readOnly = false;
+ private Boolean allowLinking;
protected AbstractFileResourceSet(String internalPath) {
setInternalPath(internalPath);
@@ -56,6 +57,19 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
return readOnly;
}
+ @Override
+ public void setAllowLinking(boolean allowLinking) {
+ this.allowLinking = Boolean.valueOf(allowLinking);
+ }
+
+ @Override
+ public boolean getAllowLinking() {
+ if (allowLinking == null) {
+ return getRoot().getAllowLinking();
+ }
+ return allowLinking.booleanValue();
+ }
+
protected final File file(String name, boolean mustExist) {
if (name.equals("/")) {
@@ -78,7 +92,7 @@ public abstract class AbstractFileResourceSet extends
AbstractResourceSet {
// If allow linking is enabled, files are not limited to being located
// under the fileBase so all further checks are disabled.
- if (getRoot().getAllowLinking()) {
+ if (getAllowLinking()) {
return file;
}
diff --git a/java/org/apache/catalina/webresources/DirResourceSet.java
b/java/org/apache/catalina/webresources/DirResourceSet.java
index 04bc2d3e4e..5553268ff7 100644
--- a/java/org/apache/catalina/webresources/DirResourceSet.java
+++ b/java/org/apache/catalina/webresources/DirResourceSet.java
@@ -173,7 +173,7 @@ public class DirResourceSet extends AbstractFileResourceSet
implements WebResour
for (File entry : list) {
// f has already been validated so the following checks
// can be much simpler than those in file()
- if (!getRoot().getAllowLinking()) {
+ if (!getAllowLinking()) {
// allow linking is disabled so need to check for
// symlinks
boolean symlink = true;
diff --git a/java/org/apache/catalina/webresources/EmptyResourceSet.java
b/java/org/apache/catalina/webresources/EmptyResourceSet.java
index c408feb1b7..26e0d0ec29 100644
--- a/java/org/apache/catalina/webresources/EmptyResourceSet.java
+++ b/java/org/apache/catalina/webresources/EmptyResourceSet.java
@@ -140,6 +140,25 @@ public class EmptyResourceSet extends LifecycleBase
implements WebResourceSet {
}
+ /**
+ * {@inheritDoc}
+ * <p>
+ * Calls to this method will be ignored as this implementation does not
allow linking.
+ */
+ @Override
+ public void setAllowLinking(boolean allowLinking) {
+ }
+
+ /**
+ * {@inheritDoc}
+ * <p>
+ * Calls to this method always return {@code false} as this implementation
does not allow linking.
+ */
+ @Override
+ public boolean getAllowLinking() {
+ return false;
+ }
+
/**
* {@inheritDoc}
* <p>
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 821f3ab595..4c8516b094 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -161,6 +161,12 @@
Process possible path parameters rewrite production in the rewrite
valve. (remm)
</fix>
+ <add>
+ <bug>69588</bug>: Enable <code>allowLinking</code> to be set on
+ <code>PreResources</code>, <code>JarResources</code> and
+ <code>PostResources</code>. If not set explicitly, the setting will be
+ inherited from the <code>Resources</code>. (markt)
+ </add>
<fix>
<bug>69633</bug>: Add support for Filters using context root mappings.
(markt)
diff --git a/webapps/docs/config/resources.xml
b/webapps/docs/config/resources.xml
index 012d4b450f..94421c52f3 100644
--- a/webapps/docs/config/resources.xml
+++ b/webapps/docs/config/resources.xml
@@ -212,6 +212,19 @@
<attributes>
+ <attribute name="allowLinking" required="false">
+ <p>If the value of this flag is <code>true</code>, symlinks will be
+ allowed inside the web resource set, pointing to resources inside or
+ outside the web application base path. If not specified, the default
+ value of the flag is taken from the outer Resources implementation.</p>
+ <p>This attribute is only available for <code>DirResourceSet</code> and
+ <code>FileResourceSet</code>.</p>
+ <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+ (or any other OS which does not have a case sensitive filesystem),
+ as it will disable case sensitivity checks, allowing JSP source code
+ disclosure, among other security problems.</b></p>
+ </attribute>
+
<attribute name="base" required="true">
<p>Identifies where the resources to be used are located. This attribute
is required by the <code>org.apache.catalina.WebResourceSet</code>
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
