Projects
Mega:23.09
tomcat
_service:tar_scm:CVE-2020-9484.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2020-9484.patch of Package tomcat
From 3aa8f28db7efb311cdd1b6fe15a9cd3b167a2222 Mon Sep 17 00:00:00 2001 From: Mark Thomas <markt@apache.org> Date: Tue, 5 May 2020 15:50:15 +0100 Subject: [PATCH] Improve validation of storage location when using FileStore. --- .../apache/catalina/session/FileStore.java | 19 +++++++++++++++++-- .../catalina/session/LocalStrings.properties | 1 + webapps/docs/changelog.xml | 3 +++ 3 files changed, 21 insertions(+), 2 deletions(-) diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java index 066d6035f1..cf3ea880fa 100644 --- a/java/org/apache/catalina/session/FileStore.java +++ b/java/org/apache/catalina/session/FileStore.java @@ -33,6 +33,8 @@ import org.apache.catalina.Globals; import org.apache.catalina.Session; import org.apache.juli.logging.Log; +import org.apache.juli.logging.LogFactory; +import org.apache.tomcat.util.res.StringManager; /** * Concrete implementation of the <b>Store</b> interface that utilizes @@ -43,6 +45,10 @@ */ public final class FileStore extends StoreBase { + private static final Log log = LogFactory.getLog(FileStore.class); + private static final StringManager sm = StringManager.getManager(FileStore.class); + + // ----------------------------------------------------- Constants /** @@ -341,11 +347,20 @@ private File directory() throws IOException { * used in the file naming. */ private File file(String id) throws IOException { - if (this.directory == null) { + File storageDir = directory(); + if (storageDir == null) { return null; } + String filename = id + FILE_EXT; - File file = new File(directory(), filename); + File file = new File(storageDir, filename); + + // Check the file is within the storage directory + if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) { + log.warn(sm.getString("fileStore.invalid", file.getPath(), id)); + return null; + } + return file; } } diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties index 5815915..d72bee4 100644 --- a/java/org/apache/catalina/session/LocalStrings.properties +++ b/java/org/apache/catalina/session/LocalStrings.properties @@ -16,6 +16,7 @@ fileStore.saving=Saving Session [{0}] to file [{1}] fileStore.loading=Loading Session [{0}] from file [{1}] fileStore.removing=Removing Session [{0}] at file [{1}] +fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}] fileStore.createFailed=Unable to create directory [{0}] for the storage of session data fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location fileStore.deleteSessionFailed=Unable to delete file [{0}] which is no longer required diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index 5665df4..a384d62 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -171,6 +171,9 @@ When generating a redirect to a directory in the Default Servlet, avoid generating a protocol relative redirect. (markt) </fix> + <add> + Improve validation of storage location when using FileStore. (markt) + </add> </changelog> </subsection> <subsection name="Coyote">
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2