Partial fix for CVE-2017-12617

This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API. git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1809025 13f79535-47bb-0310-9956-ffa450edef68
apache · Sep 20, 2017 · b7e0435 · b7e0435
1 parent b577f9a
commit b7e0435
Show file tree

Hide file tree

Showing 3 changed files with 24 additions and 7 deletions.
diff --git a/java/org/apache/catalina/webresources/DirResourceSet.java b/java/org/apache/catalina/webresources/DirResourceSet.java
@@ -217,6 +217,12 @@ public boolean write(String path, InputStream is, boolean overwrite) {
             return false;
         }
 
+        // write() is meant to create a file so ensure that the path doesn't
+        // end in '/'
+        if (path.endsWith("/")) {
+            return false;
+        }
+
         File dest = null;
         String webAppMount = getWebAppMount();
         if (path.startsWith(webAppMount)) {

diff --git a/test/org/apache/catalina/webresources/AbstractTestResourceSet.java b/test/org/apache/catalina/webresources/AbstractTestResourceSet.java
@@ -447,14 +447,8 @@ public final void testWriteDirA() {
     public final void testWriteDirB() {
         WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
         InputStream is = new ByteArrayInputStream("test".getBytes());
-        if (d1.exists()) {
+        if (d1.exists() || d1.isVirtual()) {
             Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false));
-        } else if (d1.isVirtual()) {
-            Assert.assertTrue(resourceRoot.write(
-                    getMount() + "/d1/", is, false));
-            File file = new File(getBaseDir(), "d1");
-            Assert.assertTrue(file.exists());
-            Assert.assertTrue(file.delete());
         } else {
             Assert.fail("Unhandled condition in unit test");
         }
@@ -490,6 +484,14 @@ public final void testWrite() {
         }
     }
 
+    @Test
+    public final void testWriteWithTrailingSlash() {
+        String newFileName = getNewFileName() + "/";
+        InputStream is = new ByteArrayInputStream("test".getBytes());
+        Assert.assertFalse(resourceRoot.write(
+                getMount() + "/" + newFileName, is, false));
+    }
+
     protected abstract String getNewFileName();
 
     // ------------------------------------------------------ getCanonicalPath()

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <add>