tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From bugzi...@apache.org
Subject [Bug 61369] Tomcat 8.5.16 vulnerable to CVE-2016-0793
Date Wed, 02 Aug 2017 09:13:28 GMT
https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Mark Thomas <markt@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #3 from Mark Thomas <markt@apache.org> ---
The canonical path check is still required to enforce the required case
sensitivity.

The Window APIs, most likely for reasons dating back to how 8.3 filenames were
stored [1], ignore trailing periods in file names. That explains why
allowLinking="true" enables this vulnerability. As far as the OS APIs are
concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting
allowLinking="true" bypasses the additional checks Tomcat performs to ensure an
exact match between the requested path and the canonical path.

Just need confirmation from the OP that allowLinking="true" was being used and
this issue can be closed.

[1]
https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-trailing-periods-in-directory-names

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message