tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject [Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
Date Wed, 02 Aug 2017 09:13:28 GMT

Mark Thomas <> changed:

           What    |Removed                     |Added
             Status|NEW                         |NEEDINFO

--- Comment #3 from Mark Thomas <> ---
The canonical path check is still required to enforce the required case

The Window APIs, most likely for reasons dating back to how 8.3 filenames were
stored [1], ignore trailing periods in file names. That explains why
allowLinking="true" enables this vulnerability. As far as the OS APIs are
concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting
allowLinking="true" bypasses the additional checks Tomcat performs to ensure an
exact match between the requested path and the canonical path.

Just need confirmation from the OP that allowLinking="true" was being used and
this issue can be closed.


You are receiving this mail because:
You are the assignee for the bug.
To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message