tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Konstantin Kolinko <knst.koli...@gmail.com>
Subject Re: svn commit: r1146005 - in /tomcat/trunk/java/org/apache/catalina/connector: LocalStrings.properties Request.java
Date Mon, 22 Aug 2011 15:03:30 GMT
2011/8/22 sebb <sebbaz@gmail.com>:
> On 13 July 2011 14:28,  <markt@apache.org> wrote:
>> Author: markt
>> Date: Wed Jul 13 13:28:24 2011
>> New Revision: 1146005
>>
>> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
>> Log:
>> When running under a security manager and using sendfile, validate sendfile attributes
to prevent sendfile being used to bypass the security manager.
>> Part of the fix for CVE-2011-2526
>>
>> Modified:
>>    tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
>>    tomcat/trunk/java/org/apache/catalina/connector/Request.java
>>

>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 13:28:24
2011
>> @@ -1525,6 +1525,26 @@ public class Request
>>             return;
>>         }
>>
>> +        // Do the security check before any updates are made
>> +        if (Globals.IS_SECURITY_ENABLED &&
>> +                name.equals("org.apache.tomcat.sendfile.filename")) {
>
> IMO this "magic string" should be a constant - as is done earlier in the file:
>
>  ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ...
>

You are right. Actually there are three magic strings used by sendfile
(filename + range bounds).

(It could not be done in r1146005 in order to reduce noise in a security patch).

Best regards,
Konstantin Kolinko

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message