tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From ma...@apache.org
Subject svn commit: r1146005 - in /tomcat/trunk/java/org/apache/catalina/connector: LocalStrings.properties Request.java
Date Wed, 13 Jul 2011 13:28:24 GMT
Author: markt
Date: Wed Jul 13 13:28:24 2011
New Revision: 1146005

URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
Log:
When running under a security manager and using sendfile, validate sendfile attributes to
prevent sendfile being used to bypass the security manager.
Part of the fix for CVE-2011-2526

Modified:
    tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
    tomcat/trunk/java/org/apache/catalina/connector/Request.java

Modified: tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1146005&r1=1146004&r2=1146005&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties Wed Jul 13 13:28:24
2011
@@ -66,6 +66,7 @@ coyoteRequest.noLoginConfig=No authentic
 coyoteRequest.authenticate.ise=Cannot call authenticate() after the reponse has been committed
 coyoteRequest.uploadLocationInvalid=The temporary upload location [{0}] is not valid
 coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling
request
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified
for use with sendfile
 
 requestFacade.nullRequest=The request object has been recycled and is no longer associated
with this facade
 

Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1146005&r1=1146004&r2=1146005&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
+++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 13:28:24 2011
@@ -1525,6 +1525,26 @@ public class Request
             return;
         }
 
+        // Do the security check before any updates are made
+        if (Globals.IS_SECURITY_ENABLED &&
+                name.equals("org.apache.tomcat.sendfile.filename")) {
+            // Use the canonical file name to avoid any possible symlink and
+            // relative path issues
+            String canonicalPath;
+            try {
+                canonicalPath = new File(value.toString()).getCanonicalPath();
+            } catch (IOException e) {
+                throw new SecurityException(sm.getString(
+                        "coyoteRequest.sendfileNotCanonical", value), e);
+            }
+            // Sendfile is performed in Tomcat's security context so need to
+            // check if the web app is permitted to access the file while still
+            // in the web app's security context
+            System.getSecurityManager().checkRead(canonicalPath);
+            // Update the value so the canonical path is used
+            value = canonicalPath;
+        }
+
         oldValue = attributes.put(name, value);
         if (oldValue != null) {
             replaced = true;



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message