Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:Update
tomcat
tomcat-8.0.53-CVE-2021-24122.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File tomcat-8.0.53-CVE-2021-24122.patch of Package tomcat
From 920dddbdb981f92e8d5872a4bb126a10af5ca8a9 Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Fri, 6 Nov 2020 19:03:57 +0000 Subject: [PATCH] Fix BZ 64871. Log if file access is blocked due to symlinks https://bz.apache.org/bugzilla/show_bug.cgi?id=64871 --- .../webresources/AbstractFileResourceSet.java | 19 ++++++++++++++++++- .../webresources/LocalStrings.properties | 2 ++ webapps/docs/changelog.xml | 4 ++++ 3 files changed, 24 insertions(+), 1 deletion(-) Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java =================================================================== --- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/webresources/AbstractFileResourceSet.java +++ apache-tomcat-8.0.53-src/java/org/apache/catalina/webresources/AbstractFileResourceSet.java @@ -22,11 +22,15 @@ import java.net.MalformedURLException; import java.net.URL; import org.apache.catalina.LifecycleException; +import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; import org.apache.tomcat.util.compat.JrePlatform; import org.apache.tomcat.util.http.RequestUtil; public abstract class AbstractFileResourceSet extends AbstractResourceSet { + private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class); + protected static final String[] EMPTY_STRING_ARRAY = new String[0]; private File fileBase; @@ -128,6 +132,19 @@ public abstract class AbstractFileResour canPath = normalize(canPath); } if (!canPath.equals(absPath)) { + if (!canPath.equalsIgnoreCase(absPath)) { + // Typically means symlinks are in use but being ignored. Given + // the symlink was likely created for a reason, log a warning + // that it was ignored. + String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed", + getRoot().getContext().getName(), absPath, canPath); + // Log issues with configuration files at a higher level + if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) { + log.error(msg); + } else { + log.warn(msg); + } + } return null; } @@ -144,7 +161,7 @@ public abstract class AbstractFileResour // expression irrespective of input length. for (int i = 0; i < len; i++) { char c = name.charAt(i); - if (c == '\"' || c == '<' || c == '>') { + if (c == '\"' || c == '<' || c == '>' || c == ':') { // These characters are disallowed in Windows file names and // there are known problems for file names with these characters // when using File#getCanonicalPath(). Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/webresources/LocalStrings.properties =================================================================== --- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/webresources/LocalStrings.properties +++ apache-tomcat-8.0.53-src/java/org/apache/catalina/webresources/LocalStrings.properties @@ -15,6 +15,8 @@ abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write +abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause. + abstractResource.getContentFail=Unable to return [{0}] as a byte array abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array Index: apache-tomcat-8.0.53-src/webapps/docs/changelog.xml =================================================================== --- apache-tomcat-8.0.53-src.orig/webapps/docs/changelog.xml +++ apache-tomcat-8.0.53-src/webapps/docs/changelog.xml @@ -179,6 +179,10 @@ to <code>rejectIllegalHeader</code> and expand the underlying implementation to include header values as well as names. (markt) </fix> + <add> + <bug>64871</bug>: Log a warning if Tomcat blocks access to a file + because it uses symlinks. (markt) + </add> </changelog> </subsection> <subsection name="Jasper">
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor