Projects
Mega:23.09
tomcat
_service:tar_scm:CVE-2021-25329-pre3.patch
Sign Up
Log In
Username
Password
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File _service:tar_scm:CVE-2021-25329-pre3.patch of Package tomcat
From 2c5066316f6b138c4130a87cae4db05d75afe150 Mon Sep 17 00:00:00 2001 From: wang_yue111 <648774160@qq.com> Date: Fri, 12 Mar 2021 09:44:04 +0800 Subject: [PATCH] 2 --- .../catalina/startup/ContextConfig.java | 75 ++++++++++--------- 1 file changed, 41 insertions(+), 34 deletions(-) diff --git a/java/org/apache/catalina/startup/ContextConfig.java b/java/org/apache/catalina/startup/ContextConfig.java index 89eb8d3..a4210f8 100644 --- a/java/org/apache/catalina/startup/ContextConfig.java +++ b/java/org/apache/catalina/startup/ContextConfig.java @@ -566,25 +566,29 @@ public class ContextConfig implements LifecycleListener { Host host = (Host) context.getParent(); File appBase = host.getAppBaseFile(); - String docBase = context.getDocBase(); - if (docBase == null) { + // This could be blank, relative, absolute or canonical + String docBaseConfigured = context.getDocBase(); + // If there is no explicit docBase, derive it from the path and version + if (docBaseConfigured == null) { // Trying to guess the docBase according to the path String path = context.getPath(); if (path == null) { return; } ContextName cn = new ContextName(path, context.getWebappVersion()); - docBase = cn.getBaseName(); + docBaseConfigured = cn.getBaseName(); } - File file = new File(docBase); - if (!file.isAbsolute()) { - docBase = (new File(appBase, docBase)).getAbsolutePath(); - } else { - docBase = file.getAbsolutePath(); - } - file = new File(docBase); - String origDocBase = docBase; + // Obtain the absolute docBase in String and File form + String docBaseAbsolute; + File docBaseConfiguredFile = new File(docBaseConfigured); + if (!docBaseConfiguredFile.isAbsolute()) { + docBaseAbsolute = (new File(appBase, docBaseConfigured)).getAbsolutePath(); + } else { + docBaseAbsolute = docBaseConfiguredFile.getAbsolutePath(); + } + File docBaseAbsoluteFile = new File(docBaseAbsolute); + String originalDocBase = docBaseAbsolute; ContextName cn = new ContextName(context.getPath(), context.getWebappVersion()); String pathName = cn.getBaseName(); @@ -597,28 +601,29 @@ public class ContextConfig implements LifecycleListener { } } - boolean docBaseInAppBase = docBase.startsWith(appBase.getPath() + File.separatorChar); - - if (docBase.toLowerCase(Locale.ENGLISH).endsWith(".war") && !file.isDirectory()) { - URL war = UriUtil.buildJarUrl(new File(docBase)); + // At this point we need to determine if we have a WAR file in the + // appBase that needs to be expanded. Therefore we consider the absolute + // docBase NOT the canonical docBase. This is because some users symlink + // WAR files into the appBase and we want this to work correctly. + boolean docBaseAbsoluteInAppBase = docBaseAbsolute.startsWith(appBase.getPath() + File.separatorChar); + if (docBaseAbsolute.toLowerCase(Locale.ENGLISH).endsWith(".war") && !docBaseAbsoluteFile.isDirectory()) { + URL war = UriUtil.buildJarUrl(docBaseAbsoluteFile); if (unpackWARs) { - docBase = ExpandWar.expand(host, war, pathName); - file = new File(docBase); - docBase = file.getCanonicalPath(); + docBaseAbsolute = ExpandWar.expand(host, war, pathName); + docBaseAbsoluteFile = new File(docBaseAbsolute); if (context instanceof StandardContext) { - ((StandardContext) context).setOriginalDocBase(origDocBase); + ((StandardContext) context).setOriginalDocBase(originalDocBase); } } else { ExpandWar.validate(host, war, pathName); } } else { - File docDir = new File(docBase); - File warFile = new File(docBase + ".war"); + File docBaseAbsoluteFileWar = new File(docBaseAbsolute + ".war"); URL war = null; - if (warFile.exists() && docBaseInAppBase) { - war = UriUtil.buildJarUrl(warFile); + if (docBaseAbsoluteFileWar.exists() && docBaseAbsoluteInAppBase) { + war = UriUtil.buildJarUrl(docBaseAbsoluteFileWar); } - if (docDir.exists()) { + if (docBaseAbsoluteFile.exists()) { if (war != null && unpackWARs) { // Check if WAR needs to be re-expanded (e.g. if it has // changed). Note: HostConfig.deployWar() takes care of @@ -629,31 +634,33 @@ public class ContextConfig implements LifecycleListener { } else { if (war != null) { if (unpackWARs) { - docBase = ExpandWar.expand(host, war, pathName); - file = new File(docBase); - docBase = file.getCanonicalPath(); + docBaseAbsolute = ExpandWar.expand(host, war, pathName); + docBaseAbsoluteFile = new File(docBaseAbsolute); } else { - docBase = warFile.getCanonicalPath(); + docBaseAbsolute = docBaseAbsoluteFileWar.getAbsolutePath(); + docBaseAbsoluteFile = docBaseAbsoluteFileWar; ExpandWar.validate(host, war, pathName); } } if (context instanceof StandardContext) { - ((StandardContext) context).setOriginalDocBase(origDocBase); + ((StandardContext) context).setOriginalDocBase(originalDocBase); } } } - // Re-calculate now docBase is a canonical path - docBaseInAppBase = docBase.startsWith(appBase.getPath() + File.separatorChar); + String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath(); - if (docBaseInAppBase) { - docBase = docBase.substring(appBase.getPath().length()); + // Re-calculate now docBase is a canonical path + boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar); + String docBase; + if (docBaseCanonicalInAppBase) { + docBase = docBaseCanonical.substring(appBase.getPath().length()); docBase = docBase.replace(File.separatorChar, '/'); if (docBase.startsWith("/")) { docBase = docBase.substring(1); } } else { - docBase = docBase.replace(File.separatorChar, '/'); + docBase = docBaseCanonical.replace(File.separatorChar, '/'); } context.setDocBase(docBase); -- 2.23.0
Locations
Projects
Search
Status Monitor
Help
Open Build Service
OBS Manuals
API Documentation
OBS Portal
Reporting a Bug
Contact
Mailing List
Forums
Chat (IRC)
Twitter
Open Build Service (OBS)
is an
openSUSE project
.
浙ICP备2022010568号-2