|
|
f26674 |
diff -up ./java/org/apache/catalina/session/FileStore.java.orig ./java/org/apache/catalina/session/FileStore.java
|
|
|
90ce6a |
--- ./java/org/apache/catalina/session/FileStore.java.orig 2020-05-21 16:11:53.278807740 -0400
|
|
|
90ce6a |
+++ ./java/org/apache/catalina/session/FileStore.java 2020-05-21 16:13:55.102531264 -0400
|
|
|
f26674 |
@@ -32,6 +32,8 @@ import org.apache.catalina.Context;
|
|
|
f26674 |
import org.apache.catalina.Loader;
|
|
|
f26674 |
import org.apache.catalina.Session;
|
|
|
f26674 |
import org.apache.juli.logging.Log;
|
|
|
f26674 |
+import org.apache.juli.logging.LogFactory;
|
|
|
f26674 |
+import org.apache.tomcat.util.res.StringManager;
|
|
|
f26674 |
|
|
|
f26674 |
/**
|
|
|
f26674 |
* Concrete implementation of the Store interface that utilizes
|
|
|
f26674 |
@@ -42,6 +44,10 @@ import org.apache.juli.logging.Log;
|
|
|
f26674 |
*/
|
|
|
f26674 |
public final class FileStore extends StoreBase {
|
|
|
f26674 |
|
|
|
f26674 |
+ private static final Log log = LogFactory.getLog(FileStore.class);
|
|
|
f26674 |
+ private static final StringManager sm = StringManager.getManager(FileStore.class);
|
|
|
f26674 |
+
|
|
|
f26674 |
+
|
|
|
f26674 |
// ----------------------------------------------------- Constants
|
|
|
f26674 |
|
|
|
f26674 |
/**
|
|
|
f26674 |
@@ -389,11 +395,20 @@ public final class FileStore extends Sto
|
|
|
f26674 |
* used in the file naming.
|
|
|
f26674 |
*/
|
|
|
f26674 |
private File file(String id) throws IOException {
|
|
|
f26674 |
- if (this.directory == null) {
|
|
|
f26674 |
+ File storageDir = directory();
|
|
|
f26674 |
+ if (storageDir == null) {
|
|
|
f26674 |
return null;
|
|
|
f26674 |
}
|
|
|
f26674 |
+
|
|
|
f26674 |
String filename = id + FILE_EXT;
|
|
|
f26674 |
- File file = new File(directory(), filename);
|
|
|
f26674 |
+ File file = new File(storageDir, filename);
|
|
|
f26674 |
+
|
|
|
f26674 |
+ // Check the file is within the storage directory
|
|
|
f26674 |
+ if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
|
|
|
f26674 |
+ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
|
|
|
f26674 |
+ return null;
|
|
|
f26674 |
+ }
|
|
|
f26674 |
+
|
|
|
f26674 |
return file;
|
|
|
f26674 |
}
|
|
|
f26674 |
}
|
|
|
f26674 |
diff -up ./java/org/apache/catalina/session/LocalStrings.properties.orig ./java/org/apache/catalina/session/LocalStrings.properties
|
|
|
90ce6a |
--- ./java/org/apache/catalina/session/LocalStrings.properties.orig 2020-05-21 16:14:03.128513044 -0400
|
|
|
90ce6a |
+++ ./java/org/apache/catalina/session/LocalStrings.properties 2020-05-21 16:14:14.058488232 -0400
|
|
|
f26674 |
@@ -20,6 +20,7 @@ fileStore.loading=Loading Session {0} fr
|
|
|
f26674 |
fileStore.removing=Removing Session {0} at file {1}
|
|
|
f26674 |
fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
|
|
|
f26674 |
fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
|
|
|
f26674 |
+fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
|
|
|
f26674 |
JDBCStore.close=Exception closing database connection {0}
|
|
|
f26674 |
JDBCStore.saving=Saving Session {0} to database {1}
|
|
|
f26674 |
JDBCStore.loading=Loading Session {0} from database {1}
|
|
|
f26674 |
diff -up ./webapps/docs/changelog.xml.orig ./webapps/docs/changelog.xml
|
|
|
90ce6a |
--- ./webapps/docs/changelog.xml.orig 2020-05-21 16:14:22.575468899 -0400
|
|
|
90ce6a |
+++ ./webapps/docs/changelog.xml 2020-05-21 16:15:39.413294473 -0400
|
|
|
f26674 |
@@ -57,6 +57,15 @@
|
|
|
f26674 |
They eventually become mixed with the numbered issues. (I.e., numbered
|
|
|
f26674 |
issues do not "pop up" wrt. others).
|
|
|
f26674 |
-->
|
|
|
90ce6a |
+<section name="Tomcat 7.0.76-14 (csutherl)">
|
|
|
f26674 |
+ <subsection name="Catalina">
|
|
|
f26674 |
+ <changelog>
|
|
|
f26674 |
+ <add>
|
|
|
f26674 |
+ Improve validation of storage location when using FileStore. (markt)
|
|
|
f26674 |
+ </add>
|
|
|
f26674 |
+ </changelog>
|
|
|
f26674 |
+ </subsection>
|
|
|
f26674 |
+</section>
|
|
|
90ce6a |
<section name="Tomcat 7.0.76-12 (csutherl)">
|
|
|
90ce6a |
<subsection name="jdbc-pool">
|
|
|
f26674 |
<changelog>
|