This is an automated email from the ASF dual-hosted git repository. markt pushed a commit to branch 10.1.x in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push: new b5069d405b Fix symlink edge case b5069d405b is described below commit b5069d405b9956c741b4f43ced6862e258e9210b Author: Mark Thomas <ma...@apache.org> AuthorDate: Wed Jun 7 09:49:49 2023 +0100 Fix symlink edge case --- .../apache/catalina/webresources/AbstractFileResourceSet.java | 5 +++++ webapps/docs/changelog.xml | 9 +++++++++ 2 files changed, 14 insertions(+) diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java index e910e65118..019bb908f4 100644 --- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java +++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java @@ -117,6 +117,11 @@ public abstract class AbstractFileResourceSet extends AbstractResourceSet { absPath = absPath.substring(absoluteBase.length()); canPath = canPath.substring(canonicalBase.length()); + // The remaining request path must start with '/' if it has non-zero length + if (canPath.length() > 0 && canPath.charAt(0) != '/') { + return null; + } + // Case sensitivity check // The normalized requested path should be an exact match the equivalent // canonical path. If it is not, possible reasons include: diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml index fec9209019..e0958525f1 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -105,6 +105,15 @@ issues do not "pop up" wrt. others). --> <section name="Tomcat 10.1.11 (schultz)" rtext="in development"> + <subsection name="Catalina"> + <changelog> + <fix> + Fix an edge case where intra-web application symlinks would be followed + if the web applications were deliberately crafted to allow it even when + <code>allowLinking</code> was set to <code>false</code>. (markt) + </fix> + </changelog> + </subsection> </section> <section name="Tomcat 10.1.10 (schultz)" rtext="release in progress"> <subsection name="Catalina"> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org