tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Amy Roh" <amy...@apache.org>
Subject Re: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?
Date Thu, 09 Aug 2001 20:49:46 GMT
+1

Amy
----- Original Message -----
From: "Craig R. McClanahan" <craigmcc@apache.org>
To: <tomcat-dev@jakarta.apache.org>
Sent: Thursday, August 09, 2001 12:49 PM
Subject: [VOTE] Tomcat 4.0-beta-7 Release Tonight ?


> Just fixed this security vulnerability in 4.0 (3.2.3 isn't vulnerable, at
> least on Win98, but I didn't check 3.3).  Therefore, I would propose to do
> a Beta 7 release tonight that picks up this change (and other bugfixes
> since Beta 6).
>
> Thanks to peter_c60@hotmail.com for the report.
>
> Craig McClanahan
>
>
> ---------- Forwarded message ----------
> Date: 9 Aug 2001 19:43:00 -0000
> From: craigmcc@apache.org
> Reply-To: tomcat-dev@jakarta.apache.org
> To: jakarta-tomcat-4.0-cvs@apache.org
> Subject: cvs commit:
>
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http
>     HttpProcessor.java
>
> craigmcc    01/08/09 12:43:00
>
>   Modified:    catalina/src/share/org/apache/catalina/connector/http
>                         HttpProcessor.java
>   Log:
>   Make request URIs the contain "/..." (or any longer series of periods)
>   invalid.  On some (all?) Windows platforms, this causes the OS to walk
the
>   directory tree just like "../../.." type sequences do.
>
>   PR: Bugzilla #3062
>   Submitted by: peter_c60@hotmail.com
>
>   Revision  Changes    Path
>   1.35      +9 -4
jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connector/http/Htt
pProcessor.java
>
>   Index: HttpProcessor.java
>   ===================================================================
>   RCS file:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v
>   retrieving revision 1.34
>   retrieving revision 1.35
>   diff -u -r1.34 -r1.35
>   --- HttpProcessor.java 2001/07/26 05:31:05 1.34
>   +++ HttpProcessor.java 2001/08/09 19:43:00 1.35
>   @@ -1,6 +1,6 @@
>   -/* * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v 1.34 2001/07/26 05:31:05 remm Exp $
>   - * $Revision: 1.34 $
>   - * $Date: 2001/07/26 05:31:05 $
>   +/* * $Header:
/home/cvs/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/connecto
r/http/HttpProcessor.java,v 1.35 2001/08/09 19:43:00 craigmcc Exp $
>   + * $Revision: 1.35 $
>   + * $Date: 2001/08/09 19:43:00 $
>     *
>     * ====================================================================
>     *
>   @@ -106,7 +106,7 @@
>     *
>     * @author Craig R. McClanahan
>     * @author Remy Maucherat
>   - * @version $Revision: 1.34 $ $Date: 2001/07/26 05:31:05 $
>   + * @version $Revision: 1.35 $ $Date: 2001/08/09 19:43:00 $
>     */
>
>    final class HttpProcessor
>   @@ -879,6 +879,11 @@
>                normalized = normalized.substring(0, index2) +
>                    normalized.substring(index + 3);
>            }
>   +
>   +        // Declare occurrences of "/..." (three or more dots) to be
invalid
>   +        // (on some Windows platforms this walks the directory tree!!!)
>   +        if (normalized.indexOf("/...") >= 0)
>   +            return (null);
>
>            // Return the normalized path that we have completed
>            return (normalized);
>
>
>
>
>


Mime
View raw message