https://bz.apache.org/bugzilla/show_bug.cgi?id=61369

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |NEEDINFO

--- Comment #3 from Mark Thomas <ma...@apache.org> ---
The canonical path check is still required to enforce the required case
sensitivity.

The Window APIs, most likely for reasons dating back to how 8.3 filenames were
stored [1], ignore trailing periods in file names. That explains why
allowLinking="true" enables this vulnerability. As far as the OS APIs are
concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting
allowLinking="true" bypasses the additional checks Tomcat performs to ensure an
exact match between the requested path and the canonical path.

Just need confirmation from the OP that allowLinking="true" was being used and
this issue can be closed.

[1]
https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-trailing-periods-in-directory-names

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to