Partial fix for CVE-2017-12617

This moves a check from the Default servlet where it applied to GET, POST, HEAD and OPTIONS to the resources implementation where it applies to any method that expects the resource to exist (e.g.DELETE) Still need to address the case where the resource does not exist (e.g. PUT) git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc8.5.x/trunk@1809272 13f79535-47bb-0310-9956-ffa450edef68
apache · Sep 22, 2017 · 506d862 · 506d862
1 parent a448da0
commit 506d862
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 14 deletions.
diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java
@@ -804,20 +804,6 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        // If the resource is not a collection, and the resource path
-        // ends with "/" or "\", return NOT FOUND
-        if (resource.isFile() && (path.endsWith("/") || path.endsWith("\\"))) {
-            // Check if we're included so we can return the appropriate
-            // missing resource name in the error
-            String requestUri = (String) request.getAttribute(
-                    RequestDispatcher.INCLUDE_REQUEST_URI);
-            if (requestUri == null) {
-                requestUri = request.getRequestURI();
-            }
-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestUri);
-            return;
-        }
-
         boolean included = false;
         // Check if the conditions specified in the optional If headers are
         // satisfied.

diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -57,6 +57,14 @@ protected final File file(String name, boolean mustExist) {
             name = "";
         }
         File file = new File(fileBase, name);
+
+        // If the requested names ends in '/', the Java File API will return a
+        // matching file if one exists. This isn't what we want as it is not
+        // consistent with the Servlet spec rules for request mapping.
+        if (file.isFile() && name.endsWith("/")) {
+            return null;
+        }
+
         if (!mustExist || file.canRead()) {
 
             if (getRoot().getAllowLinking()) {

diff --git a/test/org/apache/catalina/webresources/AbstractTestResourceSet.java b/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
@@ -131,6 +131,13 @@ public final void testGetResourceFile() {
         Assert.assertNotNull(webResource.getInputStream());
     }
 
+    @Test
+    public final void testGetResourceFileWithTrailingSlash() {
+        WebResource webResource =
+                resourceRoot.getResource(getMount() + "/d1/d1-f1.txt/");
+        Assert.assertFalse(webResource.exists());
+    }
+
     @Test
     public final void testGetResourceCaseSensitive() {
         WebResource webResource =