DO NOT REPLY [Bug 47564] New: .. and WEB-INF are allowed in pathInfo assignment

Thu, 23 Jul 2009 07:48:27 -0700 

https://issues.apache.org/bugzilla/show_bug.cgi?id=47564

           Summary: .. and WEB-INF are allowed in pathInfo assignment
           Product: Tomcat 6
           Version: 6.0.18
          Platform: PC
        OS/Version: Windows Vista
            Status: NEW
          Severity: minor
          Priority: P2
         Component: Catalina
        AssignedTo: dev@tomcat.apache.org
        ReportedBy: mgai...@hotmail.com


Apache Tomcat 4.1.0 through 4.1.39, 5.5.0 through 5.5.27, 6.0.0 through 6.0.18,
and possibly earlier versions normalizes the target pathname before filtering
the query string when using the RequestDispatcher method, which allows remote
attackers to bypass intended access restrictions and conduct directory
traversal attacks via .. (dot dot) sequences and the WEB-INF directory in a
Request.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-5515
org.apache.catalina.core.ApplicationDispatcher.java
 public ApplicationDispatcher
        (Wrapper wrapper, String requestURI, String servletPath,
         String pathInfo, String queryString, String name) {

        super();

        // Save all of our configuration parameters
        this.wrapper = wrapper;
        this.context = (Context) wrapper.getParent();
        this.requestURI = requestURI;
        this.servletPath = servletPath;
//change
//        this.pathInfo = pathInfo;
//to
       Pattern p = Pattern.compile("\\..");
       Matcher m = p.matcher(pathinfo);
       if (m.find())
         System.err.println("pathinfo should not contain dot dot");

      //Checks for pathinfo that start with
      //WEB-INF and prints a message if it does.
       p = Pattern.compile("WEB-INF");
       m = p.matcher(pathinfo);
       if (m.find()) 
       {
        System.err.println("pathinfo should not contain WEB-INF ");
       }

//everything in kitchen sink except for .. or WEB-INF
       p = Pattern.compile("[a-zA-Z0-9-[\\..][WEB-INF]];
       m = p.matcher(pathinfo);
       boolean result = m.find();
       StringBuffer sb  = new StringBuffer();;
       while (m.find())
       {
            sb.append(m.group());
       }
      // Add the last segment of input to the new String
      m.appendTail(sb);

       this.pathInfo = sb.toString();
//end mod

        this.queryString = queryString;
        this.name = name;
        if (wrapper instanceof StandardWrapper)
            this.support = ((StandardWrapper) wrapper).getInstanceSupport();
        else
            this.support = new InstanceSupport(wrapper);

    }

been a while since i worked with regexp so tweaking is appreciated
Martin Gainty
23 July 2009

-- 
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to