File tomcat-8.0.55-CVE-2020-9484.patch of Package tomcat.17113

Overview Repositories Revisions Requests Users Attributes Meta

File tomcat-8.0.55-CVE-2020-9484.patch of Package tomcat.17113

From ec08af18d0f9ddca3f2d800ef66fe7fd20afef2f Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Tue, 5 May 2020 15:50:15 +0100
Subject: [PATCH] Improve validation of storage location when using FileStore.

---
 .../apache/catalina/session/FileStore.java    | 19 +++++++++++++++++--
 .../catalina/session/LocalStrings.properties  |  1 +
 webapps/docs/changelog.xml                    |  3 +++
 3 files changed, 21 insertions(+), 2 deletions(-)

Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-8.0.53-src/java/org/apache/catalina/session/FileStore.java
@@ -32,6 +32,8 @@ import org.apache.catalina.Context;
 import org.apache.catalina.Globals;
 import org.apache.catalina.Session;
 import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
 
 /**
  * Concrete implementation of the <b>Store</b> interface that utilizes
@@ -42,6 +44,10 @@ import org.apache.juli.logging.Log;
  */
 public final class FileStore extends StoreBase {
 
+    private static final Log log = LogFactory.getLog(FileStore.class);
+    private static final StringManager sm = StringManager.getManager(FileStore.class);
+
+
     // ----------------------------------------------------- Constants
 
     /**
@@ -337,11 +343,20 @@ public final class FileStore extends Sto
      *    used in the file naming.
      */
     private File file(String id) throws IOException {
-        if (this.directory == null) {
+        File storageDir = directory();
+        if (storageDir == null) {
             return null;
         }
+
         String filename = id + FILE_EXT;
-        File file = new File(directory(), filename);
+        File file = new File(storageDir, filename);
+
+        // Check the file is within the storage directory
+        if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+            log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+            return null;
+        }
+
         return file;
     }
 }
Index: apache-tomcat-8.0.53-src/java/org/apache/catalina/session/LocalStrings.properties
===================================================================
--- apache-tomcat-8.0.53-src.orig/java/org/apache/catalina/session/LocalStrings.properties
+++ apache-tomcat-8.0.53-src/java/org/apache/catalina/session/LocalStrings.properties
@@ -18,6 +18,7 @@ fileStore.loading=Loading Session {0} fr
 fileStore.removing=Removing Session {0} at file {1}
 fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
 fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
+fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
 JDBCStore.close=Exception closing database connection {0}
 JDBCStore.saving=Saving Session {0} to database {1}
 JDBCStore.loading=Loading Session {0} from database {1}
Index: apache-tomcat-8.0.53-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-8.0.53-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-8.0.53-src/webapps/docs/changelog.xml
@@ -138,6 +138,9 @@
         <code>Expires</code> header as required by HTTP specification
         (RFC 7231, 7234). (kkolinko)
       </fix>
+      <add>
+        Improve validation of storage location when using FileStore. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Coyote">

Places

File tomcat-8.0.55-CVE-2020-9484.patch of Package tomcat.17113

Places