I believe CVE-2017-12617 is addressed in 9.0.x The file() method has been reviewed by kkolinko and remm and I have implemented their comments. I have also refactored the method and added comments to make the intended behaviour clearer.
It is possible that there is scope to optimise some of the checks further but I think we should consider them in slower time rather than risk making a quick decision now only to introduce a regression that could have security implications. I'd like to give folks a chance to review the 9.0.x changes again before back-porting so, assuming positive reviews, I intend to back-port tomorrow. I plan to use the time between now and starting the back-ports to check 9.0.x against the published Servlet 4.0 API with a view to the next 9.0.x vote including both beta and stable as options (assuming our implementation matches the Servlet 4.0 API). Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org