tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From sebb <seb...@gmail.com>
Subject Re: svn commit: r1146005 - in /tomcat/trunk/java/org/apache/catalina/connector: LocalStrings.properties Request.java
Date Mon, 22 Aug 2011 15:14:03 GMT
On 22 August 2011 16:03, Konstantin Kolinko <knst.kolinko@gmail.com> wrote:
> 2011/8/22 sebb <sebbaz@gmail.com>:
>> On 13 July 2011 14:28,  <markt@apache.org> wrote:
>>> Author: markt
>>> Date: Wed Jul 13 13:28:24 2011
>>> New Revision: 1146005
>>>
>>> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev
>>> Log:
>>> When running under a security manager and using sendfile, validate sendfile attributes
to prevent sendfile being used to bypass the security manager.
>>> Part of the fix for CVE-2011-2526
>>>
>>> Modified:
>>>    tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties
>>>    tomcat/trunk/java/org/apache/catalina/connector/Request.java
>>>
>
>>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original)
>>> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 13:28:24
2011
>>> @@ -1525,6 +1525,26 @@ public class Request
>>>             return;
>>>         }
>>>
>>> +        // Do the security check before any updates are made
>>> +        if (Globals.IS_SECURITY_ENABLED &&
>>> +                name.equals("org.apache.tomcat.sendfile.filename"))
{
>>
>> IMO this "magic string" should be a constant - as is done earlier in the file:
>>
>>  ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ...
>>
>
> You are right. Actually there are three magic strings used by sendfile
> (filename + range bounds).
>
> (It could not be done in r1146005 in order to reduce noise in a security patch).

I see.

In which case there are several other related magic strings in
DefaultServlet and Http11AprProcessor and Http11NioProcessor.

Probably elsewhere too; these are just the files that use
"org.apache.tomcat.sendfile.filename".


> Best regards,
> Konstantin Kolinko
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: dev-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message