This is an automated email from the ASF dual-hosted git repository.
markt-asf pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new a8264505cb Update versioned path check after CoPilot review
a8264505cb is described below
commit a8264505cbf59ad06383a5ffe9f9e35917924557
Author: Mark Thomas <[email protected]>
AuthorDate: Fri May 8 16:00:03 2026 +0100
Update versioned path check after CoPilot review
---
.../catalina/manager/LocalStrings.properties | 4 ++--
.../apache/catalina/manager/ManagerServlet.java | 27 ++++++++++++++++------
2 files changed, 22 insertions(+), 9 deletions(-)
diff --git a/java/org/apache/catalina/manager/LocalStrings.properties
b/java/org/apache/catalina/manager/LocalStrings.properties
index d14516e114..2af95f3aed 100644
--- a/java/org/apache/catalina/manager/LocalStrings.properties
+++ b/java/org/apache/catalina/manager/LocalStrings.properties
@@ -158,8 +158,8 @@ managerServlet.noWrapper=Container has not called
setWrapper() for this servlet
managerServlet.notDeployed=FAIL - Context [{0}] is defined in server.xml and
may not be undeployed
managerServlet.notSslConnector=SSL is not enabled for this connector
managerServlet.objectNameFail=FAIL - Unable to register object name [{0}] for
Manager Servlet
-managerServlet.pathCheckFail=FAIL - Unable to upload to [{0}] as that is
outside the versioned directory [{1}]
-managerServlet.pathCheckErrorFAIL - Unable to upload to [{0}] due to [{2}]
while checking the destination not outside the versioned directory [{1}]
+managerServlet.pathCheckFail=FAIL - Unable to use [{0}] as that is outside the
versioned directory [{1}]
+managerServlet.pathCheckError=FAIL - Unable to use [{0}] due to [{2}] while
checking if it was outside the versioned directory [{1}]
managerServlet.postCommand=FAIL - Tried to use command [{0}] via a GET request
but POST is required
managerServlet.reloaded=OK - Reloaded application at context path [{0}]
managerServlet.renameFail=FAIL - Unable to rename [{0}] to [{1}]. This may
cause problems for future deployments.
diff --git a/java/org/apache/catalina/manager/ManagerServlet.java
b/java/org/apache/catalina/manager/ManagerServlet.java
index f222e3146f..6cf639f4b7 100644
--- a/java/org/apache/catalina/manager/ManagerServlet.java
+++ b/java/org/apache/catalina/manager/ManagerServlet.java
@@ -732,13 +732,8 @@ public class ManagerServlet extends HttpServlet implements
ContainerServlet {
}
} else {
File uploadPath = new File(versioned, tag);
- try {
- if
(!uploadPath.getCanonicalPath().startsWith(versioned.getCanonicalPath())) {
-
writer.println(smClient.getString("managerServlet.pathCheckFail", uploadPath,
versioned));
- return;
- }
- } catch (IOException ioe) {
-
writer.println(smClient.getString("managerServlet.pathCheckError", uploadPath,
versioned, ioe.getMessage()));
+ if (!versionedPathCheck(uploadPath, writer, smClient)) {
+ // Any error reported in versionedPathCheck()
return;
}
if (!uploadPath.mkdirs() && !uploadPath.isDirectory()) {
@@ -826,6 +821,11 @@ public class ManagerServlet extends HttpServlet implements
ContainerServlet {
// Find the local WAR file
File localWar = new File(new File(versioned, tag), baseName + ".war");
+ if (!versionedPathCheck(localWar, writer, smClient)) {
+ // Any error reported in versionedPathCheck()
+ return;
+ }
+
File deployedWar = new File(host.getAppBaseFile(), baseName + ".war");
@@ -859,6 +859,19 @@ public class ManagerServlet extends HttpServlet implements
ContainerServlet {
}
+ private boolean versionedPathCheck(File input, PrintWriter writer,
StringManager smClient) {
+ try {
+ if
(!input.getCanonicalPath().startsWith(versioned.getCanonicalPath() +
File.separator)) {
+
writer.println(smClient.getString("managerServlet.pathCheckFail", input,
versioned));
+ return false;
+ }
+ } catch (IOException ioe) {
+ writer.println(smClient.getString("managerServlet.pathCheckError",
input, versioned, ioe.getMessage()));
+ return false;
+ }
+ return true;
+ }
+
/**
* Install an application for the specified path from the specified web
application archive.
*
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
