diff -up ./java/org/apache/catalina/session/FileStore.java.orig ./java/org/apache/catalina/session/FileStore.java

--- ./java/org/apache/catalina/session/FileStore.java.orig	2020-05-21 16:11:53.278807740 -0400

+++ ./java/org/apache/catalina/session/FileStore.java	2020-05-21 16:13:55.102531264 -0400

@@ -32,6 +32,8 @@ import org.apache.catalina.Context;

 import org.apache.catalina.Loader;

 import org.apache.catalina.Session;

 import org.apache.juli.logging.Log;

+import org.apache.juli.logging.LogFactory;

+import org.apache.tomcat.util.res.StringManager;

 /**

  * Concrete implementation of the Store interface that utilizes

@@ -42,6 +44,10 @@ import org.apache.juli.logging.Log;

  */

 public final class FileStore extends StoreBase {

+    private static final Log log = LogFactory.getLog(FileStore.class);

+    private static final StringManager sm = StringManager.getManager(FileStore.class);

+

+

     // ----------------------------------------------------- Constants

     /**

@@ -389,11 +395,20 @@ public final class FileStore extends Sto

      *    used in the file naming.

      */

     private File file(String id) throws IOException {

-        if (this.directory == null) {

+        File storageDir = directory();

+        if (storageDir == null) {

             return null;

         }

+

         String filename = id + FILE_EXT;

-        File file = new File(directory(), filename);

+        File file = new File(storageDir, filename);

+

+        // Check the file is within the storage directory

+        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {

+            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));

+            return null;

+        }

+

         return file;

     }

 }

diff -up ./java/org/apache/catalina/session/LocalStrings.properties.orig ./java/org/apache/catalina/session/LocalStrings.properties

--- ./java/org/apache/catalina/session/LocalStrings.properties.orig	2020-05-21 16:14:03.128513044 -0400

+++ ./java/org/apache/catalina/session/LocalStrings.properties	2020-05-21 16:14:14.058488232 -0400

@@ -20,6 +20,7 @@ fileStore.loading=Loading Session {0} fr

 fileStore.removing=Removing Session {0} at file {1}

 fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location

 fileStore.createFailed=Unable to create directory [{0}] for the storage of session data

+fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]

 JDBCStore.close=Exception closing database connection {0}

 JDBCStore.saving=Saving Session {0} to database {1}

 JDBCStore.loading=Loading Session {0} from database {1}

diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml

--- ./webapps/docs/changelog.xml.orig	2020-05-21 16:14:22.575468899 -0400

+++ ./webapps/docs/changelog.xml	2020-05-21 16:15:39.413294473 -0400

@@ -57,6 +57,15 @@

   They eventually become mixed with the numbered issues. (I.e., numbered

   issues do not "pop up" wrt. others).

 -->

+<section name="Tomcat 7.0.76-14 (csutherl)">

+  <subsection name="Catalina">

+    <changelog>

+      <add>

+        Improve validation of storage location when using FileStore. (markt)

+      </add>

+    </changelog>

+  </subsection>

+</section>

 <section name="Tomcat 7.0.76-12 (csutherl)">

   <subsection name="jdbc-pool">

     <changelog>