tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: svn commit: r1146005 - in /tomcat/trunk/java/org/apache/catalina/connector: LocalStrings.properties Request.java
Date Mon, 22 Aug 2011 14:55:21 GMT
On 13 July 2011 14:28,  <markt@apache.org> wrote:
> Author: markt
> Date: Wed Jul 13 13:28:24 2011
> New Revision: 1146005
>
> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
> Log:
> When running under a security manager and using sendfile, validate sendfile attributes
to prevent sendfile being used to bypass the security manager.
> Part of the fix for CVE-2011-2526
>
> Modified:
>    tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
>    tomcat/trunk/java/org/apache/catalina/connector/Request.java
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1146005&r1=1146004&r2=1146005&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties Wed Jul 13
13:28:24 2011
> @@ -66,6 +66,7 @@ coyoteRequest.noLoginConfig=No authentic
>  coyoteRequest.authenticate.ise=Cannot call authenticate() after the reponse has been
committed
>  coyoteRequest.uploadLocationInvalid=The temporary upload location [{0}] is not valid
>  coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while
recycling request
> +coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}]
specified for use with sendfile
>
>  requestFacade.nullRequest=The request object has been recycled and is no longer associated
with this facade
>
>
> Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java
> URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1146005&r1=1146004&r2=1146005&view=diff
> ==============================================================================
> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 13:28:24
2011
> @@ -1525,6 +1525,26 @@ public class Request
>             return;
>         }
>
> +        // Do the security check before any updates are made
> +        if (Globals.IS_SECURITY_ENABLED &&
> +                name.equals("org.apache.tomcat.sendfile.filename")) {

IMO this "magic string" should be a constant - as is done earlier in the file:

 ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ...


> +            // Use the canonical file name to avoid any possible symlink and
> +            // relative path issues
> +            String canonicalPath;
> +            try {
> +                canonicalPath = new File(value.toString()).getCanonicalPath();
> +            } catch (IOException e) {
> +                throw new SecurityException(sm.getString(
> +                        "coyoteRequest.sendfileNotCanonical", value), e);
> +            }
> +            // Sendfile is performed in Tomcat's security context so need to
> +            // check if the web app is permitted to access the file while still
> +            // in the web app's security context
> +            System.getSecurityManager().checkRead(canonicalPath);
> +            // Update the value so the canonical path is used
> +            value = canonicalPath;
> +        }
> +
>         oldValue = attributes.put(name, value);
>         if (oldValue != null) {
>             replaced = true;
>
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message