tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Arieh Markel <Arieh.Mar...@central.sun.com>
Subject Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SimpleMapper1.java StaticInterceptor.java
Date Tue, 12 Dec 2000 16:42:39 GMT
The fix is incorrect.

indexOf returns -1 when the substring is not found, not 0.

The way the current code is set forces wrong behavior.

It should be:

	(relativePath.indexOf("/META-INF/") != -1) ||
	(relativePath.indexOf("/WEB-INF/") != -1))

Arieh

> Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
> list-help: <mailto:tomcat-dev-help@jakarta.apache.org>
> list-unsubscribe: <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
> list-post: <mailto:tomcat-dev@jakarta.apache.org>
> Delivered-To: mailing list tomcat-dev@jakarta.apache.org
> Delivered-To: apmail-jakarta-tomcat-cvs@apache.org
> From: craigmcc@locus.apache.org
> To: jakarta-tomcat-cvs@apache.org
> Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SimpleMapper1.java

StaticInterceptor.java
> 
> craigmcc    00/12/11 09:52:31
> 
>   Modified:    src/share/org/apache/tomcat/request Tag: tomcat_32
>                         SimpleMapper1.java StaticInterceptor.java
>   Log:
>   Fix a security vulnerability that would display the contents of sensitive
>   files when a URL like this was used:
>   
>   	http://localhost:8080/examples//WEB-INF/web.xml
>   
>   This vulnerability appears on Linux (and any other OS that ignores "//" in
>   the middle of a pathname), but not on Windows.
>   
>   Submitted by: Ramon Cacha <rcasha@megabyte.net>
>   PR: BugRat Bug Report #565
>   
>   Revision  Changes    Path
>   No                   revision
>   
>   
>   No                   revision
>   
>   
>   1.15.2.4  +2 -2      
jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java
>   
>   Index: SimpleMapper1.java
>   ===================================================================
>   RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java,v
>   retrieving revision 1.15.2.3
>   retrieving revision 1.15.2.4
>   diff -u -r1.15.2.3 -r1.15.2.4
>   --- SimpleMapper1.java	2000/12/01 03:00:41	1.15.2.3
>   +++ SimpleMapper1.java	2000/12/11 17:52:30	1.15.2.4
>   @@ -343,8 +343,8 @@
>                requestURI.substring(contextPath.length()).toUpperCase();
>            if (relativePath.equals("/META-INF") ||
>                relativePath.equals("/WEB-INF") ||
>   -            relativePath.startsWith("/META-INF/") ||
>   -            relativePath.startsWith("/WEB-INF/"))
>   +            (relativePath.indexOf("/META-INF/") != 0) ||
>   +            (relativePath.indexOf("/WEB-INF/") != 0))
>                return 404;
>    
>    	return OK;
>   
>   
>   
>   1.7.2.5   +3 -1      
jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java
>   
>   Index: StaticInterceptor.java
>   ===================================================================
>   RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java,v
>   retrieving revision 1.7.2.4
>   retrieving revision 1.7.2.5
>   diff -u -r1.7.2.4 -r1.7.2.5
>   --- StaticInterceptor.java	2000/11/07 22:52:52	1.7.2.4
>   +++ StaticInterceptor.java	2000/12/11 17:52:30	1.7.2.5
>   @@ -418,7 +418,9 @@
>    
>    		String relPathU=relPath.toUpperCase();
>    		if ( relPathU.startsWith("WEB-INF") ||
>   -				relPathU.startsWith("META-INF")) {
>   +                     relPathU.startsWith("META-INF") ||
>   +                    (relPathU.indexOf("/WEB-INF/") != 0) ||
>   +                    (relPathU.indexOf("/META-INF/") != 0) ) {
>    			return null;
>    		}
>    	}
>   
>   
>   

--
 Arieh Markel		                Sun Microsystems Inc.
 Network Storage                        500 Eldorado Blvd. MS UBRM11-194
 e-mail: arieh.markel@sun.COM           Broomfield, CO 80021
 Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
 (e-mail me with subject SEND PUBLIC KEY to get public key)


Mime
View raw message