--- java/org/apache/catalina/servlets/DefaultServlet.java.orig 2017-10-13 09:41:05.734302404 -0400
+++ java/org/apache/catalina/servlets/DefaultServlet.java 2017-10-13 09:42:53.515701311 -0400
@@ -855,23 +855,6 @@
return;
}
- // If the resource is not a collection, and the resource path
- // ends with "/" or "\", return NOT FOUND
- if (cacheEntry.context == null) {
- if (path.endsWith("/") || (path.endsWith("\\"))) {
- // Check if we're included so we can return the appropriate
- // missing resource name in the error
- String requestUri = (String) request.getAttribute(
- RequestDispatcher.INCLUDE_REQUEST_URI);
- if (requestUri == null) {
- requestUri = request.getRequestURI();
- }
- response.sendError(HttpServletResponse.SC_NOT_FOUND,
- requestUri);
- return;
- }
- }
-
boolean isError = DispatcherType.ERROR == request.getDispatcherType();
// Check if the conditions specified in the optional If headers are
--- java/org/apache/naming/resources/FileDirContext.java.orig 2017-10-13 09:41:05.737302387 -0400
+++ java/org/apache/naming/resources/FileDirContext.java 2017-10-13 09:42:53.516701306 -0400
@@ -14,8 +14,6 @@
* See the License for the specific language governing permissions and
* limitations under the License.
*/
-
-
package org.apache.naming.resources;
import java.io.File;
@@ -75,6 +73,8 @@
/**
* Builds a file directory context using the given environment.
+ *
+ * @param env The environment with which to build the context
*/
public FileDirContext(Hashtable<String,Object> env) {
super(env);
@@ -95,6 +95,8 @@
*/
protected String absoluteBase = null;
+ private String canonicalBase = null;
+
/**
* Allow linking.
@@ -104,7 +106,6 @@
// ------------------------------------------------------------- Properties
-
/**
* Set the document root.
*
@@ -117,32 +118,41 @@
*/
@Override
public void setDocBase(String docBase) {
+ // Validate the format of the proposed document root
+ if (docBase == null) {
+ throw new IllegalArgumentException(sm.getString("resources.null"));
+ }
- // Validate the format of the proposed document root
- if (docBase == null)
- throw new IllegalArgumentException
- (sm.getString("resources.null"));
-
- // Calculate a File object referencing this document base directory
- base = new File(docBase);
+ // Calculate a File object referencing this document base directory
+ base = new File(docBase);
try {
base = base.getCanonicalFile();
} catch (IOException e) {
// Ignore
}
- // Validate that the document base is an existing directory
- if (!base.exists() || !base.isDirectory() || !base.canRead())
- throw new IllegalArgumentException
- (sm.getString("fileResources.base", docBase));
- this.absoluteBase = base.getAbsolutePath();
- super.setDocBase(docBase);
+ // Validate that the document base is an existing directory
+ if (!base.exists() || !base.isDirectory() || !base.canRead()) {
+ throw new IllegalArgumentException(sm.getString("fileResources.base", docBase));
+ }
+ this.absoluteBase = normalize(base.getAbsolutePath());
+
+ // absoluteBase also needs to be normalized. Using the canonical path is
+ // the simplest way of doing this.
+ try {
+ this.canonicalBase = base.getCanonicalPath();
+ } catch (IOException e) {
+ throw new IllegalArgumentException(e);
+ }
+ super.setDocBase(docBase);
}
/**
* Set allow linking.
+ *
+ * @param allowLinking The new value for the attribute
*/
public void setAllowLinking(boolean allowLinking) {
this.allowLinking = allowLinking;
@@ -151,6 +161,8 @@
/**
* Is linking allowed.
+ *
+ * @return {@code true} is linking is allowed, otherwise {@false}
*/
public boolean getAllowLinking() {
return allowLinking;
@@ -193,7 +205,7 @@
@Override
protected Object doLookup(String name) {
Object result = null;
- File file = file(name);
+ File file = file(name, true);
if (file == null)
return null;
@@ -230,7 +242,7 @@
public void unbind(String name)
throws NamingException {
- File file = file(name);
+ File file = file(name, true);
if (file == null)
throw new NameNotFoundException(
@@ -255,22 +267,22 @@
* @exception NamingException if a naming exception is encountered
*/
@Override
- public void rename(String oldName, String newName)
- throws NamingException {
+ public void rename(String oldName, String newName) throws NamingException {
- File file = file(oldName);
+ File file = file(oldName, true);
- if (file == null)
- throw new NameNotFoundException
- (sm.getString("resources.notFound", oldName));
+ if (file == null) {
+ throw new NameNotFoundException(sm.getString("resources.notFound", oldName));
+ }
- File newFile = new File(base, newName);
+ File newFile = file(newName, false);
+ if (newFile == null) {
+ throw new NamingException(sm.getString("resources.renameFail", oldName, newName));
+ }
if (!file.renameTo(newFile)) {
- throw new NamingException(sm.getString("resources.renameFail",
- oldName, newName));
+ throw new NamingException(sm.getString("resources.renameFail", oldName, newName));
}
-
}
@@ -291,11 +303,11 @@
protected List<NamingEntry> doListBindings(String name)
throws NamingException {
- File file = file(name);
+ File file = file(name, true);
if (file == null)
return null;
-
+
return list(file);
}
@@ -395,7 +407,7 @@
throws NamingException {
// Building attribute list
- File file = file(name);
+ File file = file(name, true);
if (file == null)
return null;
@@ -463,12 +475,20 @@
* @exception NamingException if a naming exception is encountered
*/
@Override
- public void bind(String name, Object obj, Attributes attrs)
- throws NamingException {
+ public void bind(String name, Object obj, Attributes attrs) throws NamingException {
// Note: No custom attributes allowed
- File file = new File(base, name);
+ // bind() is meant to create a file so ensure that the path doesn't end
+ // in '/'
+ if (name.endsWith("/")) {
+ throw new NamingException(sm.getString("resources.bindFailed", name));
+ }
+
+ File file = file(name, false);
+ if (file == null) {
+ throw new NamingException(sm.getString("resources.bindFailed", name));
+ }
if (file.exists())
throw new NameAlreadyBoundException
(sm.getString("resources.alreadyBound", name));
@@ -503,7 +523,10 @@
// Note: No custom attributes allowed
// Check obj type
- File file = new File(base, name);
+ File file = file(name, false);
+ if (file == null) {
+ throw new NamingException(sm.getString("resources.bindFailed", name));
+ }
InputStream is = null;
if (obj instanceof Resource) {
@@ -583,13 +606,14 @@
public DirContext createSubcontext(String name, Attributes attrs)
throws NamingException {
- File file = new File(base, name);
+ File file = file(name, false);
+ if (file == null) {
+ throw new NamingException(sm.getString("resources.bindFailed", name));
+ }
if (file.exists())
- throw new NameAlreadyBoundException
- (sm.getString("resources.alreadyBound", name));
+ throw new NameAlreadyBoundException(sm.getString("resources.alreadyBound", name));
if (!file.mkdir())
- throw new NamingException
- (sm.getString("resources.bindFailed", name));
+ throw new NamingException(sm.getString("resources.bindFailed", name));
return (DirContext) lookup(name);
}
@@ -758,6 +782,7 @@
}
+
/**
* Return a File object representing the specified normalized
* context-relative path if it exists and is readable. Otherwise,
@@ -766,51 +791,133 @@
* @param name Normalized context-relative path (with leading '/')
*/
protected File file(String name) {
+ return file(name, true);
+ }
+
+
+ /**
+ * Return a File object representing the specified normalized
+ * context-relative path if it exists and is readable. Otherwise,
+ * return <code>null</code>.
+ *
+ * @param name Normalized context-relative path (with leading '/')
+ * @param mustExist Must the specified resource exist?
+ */
+ protected File file(String name, boolean mustExist) {
+ if (name.equals("/")) {
+ name = "";
+ }
File file = new File(base, name);
- if (file.exists() && file.canRead()) {
+ return validate(file, name, mustExist, absoluteBase, canonicalBase);
+ }
- if (allowLinking)
- return file;
-
- // Check that this file belongs to our root path
- String canPath = null;
- try {
- canPath = file.getCanonicalPath();
- } catch (IOException e) {
- // Ignore
- }
- if (canPath == null)
- return null;
- // Check to see if going outside of the web application root
- if (!canPath.startsWith(absoluteBase)) {
- return null;
- }
+ protected File validate(File file, String name, boolean mustExist, String absoluteBase,
+ String canonicalBase) {
- // Case sensitivity check - this is now always done
- String fileAbsPath = file.getAbsolutePath();
- if (fileAbsPath.endsWith("."))
- fileAbsPath = fileAbsPath + "/";
- String absPath = normalize(fileAbsPath);
- canPath = normalize(canPath);
- if ((absoluteBase.length() < absPath.length())
- && (absoluteBase.length() < canPath.length())) {
- absPath = absPath.substring(absoluteBase.length() + 1);
- if (absPath.equals(""))
- absPath = "/";
- canPath = canPath.substring(absoluteBase.length() + 1);
- if (canPath.equals(""))
- canPath = "/";
- if (!canPath.equals(absPath))
- return null;
- }
+ // If the requested names ends in '/', the Java File API will return a
+ // matching file if one exists. This isn't what we want as it is not
+ // consistent with the Servlet spec rules for request mapping.
+ if (name.endsWith("/") && file.isFile()) {
+ return null;
+ }
- } else {
+ // If the file/dir must exist but the identified file/dir can't be read
+ // then signal that the resource was not found
+ if (mustExist && !file.canRead()) {
+ return null;
+ }
+
+ // If allow linking is enabled, files are not limited to being located
+ // under the fileBase so all further checks are disabled.
+ if (allowLinking) {
+ return file;
+ }
+
+ // Additional Windows specific checks to handle known problems with
+ // File.getCanonicalPath()
+ if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
+ return null;
+ }
+
+ // Check that this file is located under the web application root
+ String canPath = null;
+ try {
+ canPath = file.getCanonicalPath();
+ } catch (IOException e) {
+ // Ignore
+ }
+ if (canPath == null || !canPath.startsWith(canonicalBase)) {
+ return null;
+ }
+
+ // Ensure that the file is not outside the fileBase. This should not be
+ // possible for standard requests (the request is normalized early in
+ // the request processing) but might be possible for some access via the
+ // Servlet API (RequestDispatcher etc.) therefore these checks are
+ // retained as an additional safety measure. absoluteBase has been
+ // normalized so absPath needs to be normalized as well.
+ String absPath = normalize(file.getAbsolutePath());
+ if ((absoluteBase.length() > absPath.length())) {
return null;
}
+
+ // Remove the fileBase location from the start of the paths since that
+ // was not part of the requested path and the remaining check only
+ // applies to the request path
+ absPath = absPath.substring(absoluteBase.length());
+ canPath = canPath.substring(canonicalBase.length());
+
+ // Case sensitivity check
+ // The normalized requested path should be an exact match the equivalent
+ // canonical path. If it is not, possible reasons include:
+ // - case differences on case insensitive file systems
+ // - Windows removing a trailing ' ' or '.' from the file name
+ //
+ // In all cases, a mis-match here results in the resource not being
+ // found
+ //
+ // absPath is normalized so canPath needs to be normalized as well
+ // Can't normalize canPath earlier as canonicalBase is not normalized
+ if (canPath.length() > 0) {
+ canPath = normalize(canPath);
+ }
+ if (!canPath.equals(absPath)) {
+ return null;
+ }
+
return file;
+ }
+
+ private boolean isInvalidWindowsFilename(String name) {
+ final int len = name.length();
+ if (len == 0) {
+ return false;
+ }
+ // This consistently ~10 times faster than the equivalent regular
+ // expression irrespective of input length.
+ for (int i = 0; i < len; i++) {
+ char c = name.charAt(i);
+ if (c == '\"' || c == '<' || c == '>') {
+ // These characters are disallowed in Windows file names and
+ // there are known problems for file names with these characters
+ // when using File#getCanonicalPath().
+ // Note: There are additional characters that are disallowed in
+ // Windows file names but these are not known to cause
+ // problems when using File#getCanonicalPath().
+ return true;
+ }
+ }
+ // Windows does not allow file names to end in ' ' unless specific low
+ // level APIs are used to create the files that bypass various checks.
+ // File names that end in ' ' are known to cause problems when using
+ // File#getCanonicalPath().
+ if (name.charAt(len -1) == ' ') {
+ return true;
+ }
+ return false;
}
@@ -1054,10 +1161,10 @@
return super.getResourceType();
}
-
+
/**
* Get canonical path.
- *
+ *
* @return String the file's canonical path
*/
@Override
@@ -1071,10 +1178,6 @@
}
return canonicalPath;
}
-
-
}
-
-
}
--- java/org/apache/naming/resources/VirtualDirContext.java.orig 2017-10-13 09:41:05.740302370 -0400
+++ java/org/apache/naming/resources/VirtualDirContext.java 2017-10-13 09:42:53.517701300 -0400
@@ -76,7 +76,8 @@
* be listed twice.
* </p>
*
- * @param path
+ * @param path The set of file system paths and virtual paths to map them to
+ * in the required format
*/
public void setExtraResourcePaths(String path) {
extraResourcePaths = path;
@@ -106,13 +107,13 @@
}
path = resSpec.substring(0, idx);
}
- String dir = resSpec.substring(idx + 1);
+ File dir = new File(resSpec.substring(idx + 1));
List<String> resourcePaths = mappedResourcePaths.get(path);
if (resourcePaths == null) {
resourcePaths = new ArrayList<String>();
mappedResourcePaths.put(path, resourcePaths);
}
- resourcePaths.add(dir);
+ resourcePaths.add(dir.getAbsolutePath());
}
}
if (mappedResourcePaths.isEmpty()) {
@@ -151,15 +152,17 @@
String resourcesDir = dirList.get(0);
if (name.equals(path)) {
File f = new File(resourcesDir);
- if (f.exists() && f.canRead()) {
+ f = validate(f, name, true, resourcesDir);
+ if (f != null) {
return new FileResourceAttributes(f);
}
}
path += "/";
if (name.startsWith(path)) {
String res = name.substring(path.length());
- File f = new File(resourcesDir + "/" + res);
- if (f.exists() && f.canRead()) {
+ File f = new File(resourcesDir, res);
+ f = validate(f, res, true, resourcesDir);
+ if (f != null) {
return new FileResourceAttributes(f);
}
}
@@ -168,9 +171,16 @@
throw initialException;
}
+
@Override
protected File file(String name) {
- File file = super.file(name);
+ return file(name, true);
+ }
+
+
+ @Override
+ protected File file(String name, boolean mustExist) {
+ File file = super.file(name, true);
if (file != null || mappedResourcePaths == null) {
return file;
}
@@ -185,7 +195,8 @@
if (name.equals(path)) {
for (String resourcesDir : dirList) {
file = new File(resourcesDir);
- if (file.exists() && file.canRead()) {
+ file = validate(file, name, true, resourcesDir);
+ if (file != null) {
return file;
}
}
@@ -194,7 +205,8 @@
String res = name.substring(path.length());
for (String resourcesDir : dirList) {
file = new File(resourcesDir, res);
- if (file.exists() && file.canRead()) {
+ file = validate(file, res, true, resourcesDir);
+ if (file != null) {
return file;
}
}
@@ -229,7 +241,8 @@
if (res != null) {
for (String resourcesDir : dirList) {
File f = new File(resourcesDir, res);
- if (f.exists() && f.canRead() && f.isDirectory()) {
+ f = validate(f, res, true, resourcesDir);
+ if (f != null && f.isDirectory()) {
List<NamingEntry> virtEntries = super.list(f);
for (NamingEntry entry : virtEntries) {
// filter duplicate
@@ -264,7 +277,8 @@
if (name.equals(path)) {
for (String resourcesDir : dirList) {
File f = new File(resourcesDir);
- if (f.exists() && f.canRead()) {
+ f = validate(f, name, true, resourcesDir);
+ if (f != null) {
if (f.isFile()) {
return new FileResource(f);
}
@@ -279,8 +293,9 @@
if (name.startsWith(path)) {
String res = name.substring(path.length());
for (String resourcesDir : dirList) {
- File f = new File(resourcesDir + "/" + res);
- if (f.exists() && f.canRead()) {
+ File f = new File(resourcesDir, res);
+ f = validate(f, res, true, resourcesDir);
+ if (f != null) {
if (f.isFile()) {
return new FileResource(f);
}
@@ -304,4 +319,9 @@
return null;
}
}
+
+
+ protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
+ return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
+ }
}
--- webapps/docs/changelog.xml.orig 2017-10-13 09:15:35.996884086 -0400
+++ webapps/docs/changelog.xml 2017-10-13 09:44:50.895046977 -0400
@@ -64,6 +64,14 @@
<bug>61101</bug>: CORS filter should set Vary header in response.
Submitted by Rick Riemer. (remm)
</fix>
+ <fix>
+ Correct regression in 7.0.80 that broke WebDAV. (markt)
+ </fix>
+ <fix>
+ <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+ uploaded via a specially crafted request when HTTP PUT was enabled.
+ (markt)
+ </fix>
</changelog>
</subsection>
</section>
--- java/org/apache/naming/resources/JrePlatform.java.orig 2017-10-13 09:41:05.745302342 -0400
+++ java/org/apache/naming/resources/JrePlatform.java 2017-10-13 09:42:53.516701306 -0400
@@ -0,0 +1,59 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+public class JrePlatform {
+
+ private static final String OS_NAME_PROPERTY = "os.name";
+ private static final String OS_NAME_WINDOWS_PREFIX = "Windows";
+
+ static {
+ /*
+ * There are a few places where a) the behaviour of the Java API depends
+ * on the underlying platform and b) those behavioural differences have
+ * an impact on Tomcat.
+ *
+ * Tomcat therefore needs to be able to determine the platform it is
+ * running on to account for those differences.
+ *
+ * In an ideal world this code would not exist.
+ */
+
+ // This check is derived from the check in Apache Commons Lang
+ String osName;
+ if (System.getSecurityManager() == null) {
+ osName = System.getProperty(OS_NAME_PROPERTY);
+ } else {
+ osName = AccessController.doPrivileged(
+ new PrivilegedAction<String>() {
+
+ @Override
+ public String run() {
+ return System.getProperty(OS_NAME_PROPERTY);
+ }
+ });
+ }
+
+ IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX);
+ }
+
+
+ public static final boolean IS_WINDOWS;
+}
--- test/org/apache/naming/resources/TestFileDirContext.java.orig 2017-10-13 09:45:35.991795584 -0400
+++ test/org/apache/naming/resources/TestFileDirContext.java 2017-10-13 09:42:53.517701300 -0400
@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements. See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License. You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.io.File;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.buf.ByteChunk;
+
+public class TestFileDirContext extends TomcatBaseTest {
+
+ @Test
+ public void testLookupResourceWithTrailingSlash() throws Exception {
+ Tomcat tomcat = getTomcatInstance();
+
+ File appDir = new File("test/webapp-3.0");
+ // app dir is relative to server home
+ tomcat.addWebapp(null, "/test", appDir.getAbsolutePath());
+
+ tomcat.start();
+
+ int sc = getUrl("http://localhost:" + getPort() +
+ "/test/index.html/", new ByteChunk(), null);
+ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc);
+ }
+}