Anyone want to take a bet on how long it takes before we get an AI
generated report that, despite the commit comment, this fixes a security
vulnerability?
Mark
On 08/05/2026 15:41, [email protected] wrote:
This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 6b7f62f0a6 Prevent accidental directory traversal
6b7f62f0a6 is described below
commit 6b7f62f0a6a2ed4c10ad717b3212c799cd98e2f9
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 8 15:40:30 2026 +0100
Prevent accidental directory traversal
Note: This is NOT a security vulnerability as uploading a web application effectively allows RCE anyway.
---
java/org/apache/catalina/manager/LocalStrings.properties | 2 ++
java/org/apache/catalina/manager/ManagerServlet.java | 9 +++++++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 15 insertions(+)
diff --git a/java/org/apache/catalina/manager/LocalStrings.properties
b/java/org/apache/catalina/manager/LocalStrings.properties
index 618039a367..d14516e114 100644
--- a/java/org/apache/catalina/manager/LocalStrings.properties
+++ b/java/org/apache/catalina/manager/LocalStrings.properties
@@ -158,6 +158,8 @@ managerServlet.noWrapper=Container has not called
setWrapper() for this servlet
managerServlet.notDeployed=FAIL - Context [{0}] is defined in server.xml and
may not be undeployed
managerServlet.notSslConnector=SSL is not enabled for this connector
managerServlet.objectNameFail=FAIL - Unable to register object name [{0}] for
Manager Servlet
+managerServlet.pathCheckFail=FAIL - Unable to upload to [{0}] as that is
outside the versioned directory [{1}]
+managerServlet.pathCheckErrorFAIL - Unable to upload to [{0}] due to [{2}]
while checking the destination not outside the versioned directory [{1}]
managerServlet.postCommand=FAIL - Tried to use command [{0}] via a GET
request but POST is required
managerServlet.reloaded=OK - Reloaded application at context path [{0}]
managerServlet.renameFail=FAIL - Unable to rename [{0}] to [{1}]. This may
cause problems for future deployments.
diff --git a/java/org/apache/catalina/manager/ManagerServlet.java
b/java/org/apache/catalina/manager/ManagerServlet.java
index 806be52ce7..f222e3146f 100644
--- a/java/org/apache/catalina/manager/ManagerServlet.java
+++ b/java/org/apache/catalina/manager/ManagerServlet.java
@@ -732,6 +732,15 @@ public class ManagerServlet extends HttpServlet implements
ContainerServlet {
}
} else {
File uploadPath = new File(versioned, tag);
+ try {
+ if
(!uploadPath.getCanonicalPath().startsWith(versioned.getCanonicalPath())) {
+
writer.println(smClient.getString("managerServlet.pathCheckFail", uploadPath,
versioned));
+ return;
+ }
+ } catch (IOException ioe) {
+
writer.println(smClient.getString("managerServlet.pathCheckError", uploadPath,
versioned, ioe.getMessage()));
+ return;
+ }
if (!uploadPath.mkdirs() && !uploadPath.isDirectory()) {
writer.println(smClient.getString("managerServlet.mkdirFail",
uploadPath));
return;
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index e05c907131..ae82756886 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -330,6 +330,10 @@
<subsection name="Web applications">
<changelog>
<!-- Entries for backport and removal before 12.0.0-M1 below this line
-->
+ <add>
+ Manager: Add a check to ensure that any web application uploaded using
+ the tag mechanism is uploaded to the correct location. (markt)
+ </add>
</changelog>
</subsection>
<subsection name="jdbc-pool">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
