For the fun, I asked Claude Sonnet 4.5 :) It says that the commit message indicates it's not, and the reasoning is sound. But when I asked if the developer might be misleading us, the response said that subsequent commits indicate that it does have a security impact with some examples of possibilities. I'm not sure those are sound, though...
On Fri, May 8, 2026 at 11:45 AM Coty Sutherland <[email protected]> wrote: > I am curious how many agents/bots are watching commit messages and > evaluating them for security concerns these days... > > On Fri, May 8, 2026 at 10:43 AM Mark Thomas <[email protected]> wrote: > >> Anyone want to take a bet on how long it takes before we get an AI >> generated report that, despite the commit comment, this fixes a security >> vulnerability? >> >> Mark >> >> >> On 08/05/2026 15:41, [email protected] wrote: >> > This is an automated email from the ASF dual-hosted git repository. >> > >> > markt-asf pushed a commit to branch main >> > in repository https://gitbox.apache.org/repos/asf/tomcat.git >> > >> > >> > The following commit(s) were added to refs/heads/main by this push: >> > new 6b7f62f0a6 Prevent accidental directory traversal >> > 6b7f62f0a6 is described below >> > >> > commit 6b7f62f0a6a2ed4c10ad717b3212c799cd98e2f9 >> > Author: Mark Thomas <[email protected]> >> > AuthorDate: Fri May 8 15:40:30 2026 +0100 >> > >> > Prevent accidental directory traversal >> > >> > Note: This is NOT a security vulnerability as uploading a web >> application effectively allows RCE anyway. >> > --- >> > java/org/apache/catalina/manager/LocalStrings.properties | 2 ++ >> > java/org/apache/catalina/manager/ManagerServlet.java | 9 +++++++++ >> > webapps/docs/changelog.xml | 4 ++++ >> > 3 files changed, 15 insertions(+) >> > >> > diff --git a/java/org/apache/catalina/manager/LocalStrings.properties >> b/java/org/apache/catalina/manager/LocalStrings.properties >> > index 618039a367..d14516e114 100644 >> > --- a/java/org/apache/catalina/manager/LocalStrings.properties >> > +++ b/java/org/apache/catalina/manager/LocalStrings.properties >> > @@ -158,6 +158,8 @@ managerServlet.noWrapper=Container has not called >> setWrapper() for this servlet >> > managerServlet.notDeployed=FAIL - Context [{0}] is defined in >> server.xml and may not be undeployed >> > managerServlet.notSslConnector=SSL is not enabled for this connector >> > managerServlet.objectNameFail=FAIL - Unable to register object name >> [{0}] for Manager Servlet >> > +managerServlet.pathCheckFail=FAIL - Unable to upload to [{0}] as that >> is outside the versioned directory [{1}] >> > +managerServlet.pathCheckErrorFAIL - Unable to upload to [{0}] due to >> [{2}] while checking the destination not outside the versioned directory >> [{1}] >> > managerServlet.postCommand=FAIL - Tried to use command [{0}] via a >> GET request but POST is required >> > managerServlet.reloaded=OK - Reloaded application at context path >> [{0}] >> > managerServlet.renameFail=FAIL - Unable to rename [{0}] to [{1}]. >> This may cause problems for future deployments. >> > diff --git a/java/org/apache/catalina/manager/ManagerServlet.java >> b/java/org/apache/catalina/manager/ManagerServlet.java >> > index 806be52ce7..f222e3146f 100644 >> > --- a/java/org/apache/catalina/manager/ManagerServlet.java >> > +++ b/java/org/apache/catalina/manager/ManagerServlet.java >> > @@ -732,6 +732,15 @@ public class ManagerServlet extends HttpServlet >> implements ContainerServlet { >> > } >> > } else { >> > File uploadPath = new File(versioned, tag); >> > + try { >> > + if >> (!uploadPath.getCanonicalPath().startsWith(versioned.getCanonicalPath())) { >> > + >> writer.println(smClient.getString("managerServlet.pathCheckFail", >> uploadPath, versioned)); >> > + return; >> > + } >> > + } catch (IOException ioe) { >> > + >> writer.println(smClient.getString("managerServlet.pathCheckError", >> uploadPath, versioned, ioe.getMessage())); >> > + return; >> > + } >> > if (!uploadPath.mkdirs() && !uploadPath.isDirectory()) { >> > >> writer.println(smClient.getString("managerServlet.mkdirFail", uploadPath)); >> > return; >> > diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml >> > index e05c907131..ae82756886 100644 >> > --- a/webapps/docs/changelog.xml >> > +++ b/webapps/docs/changelog.xml >> > @@ -330,6 +330,10 @@ >> > <subsection name="Web applications"> >> > <changelog> >> > <!-- Entries for backport and removal before 12.0.0-M1 below >> this line --> >> > + <add> >> > + Manager: Add a check to ensure that any web application >> uploaded using >> > + the tag mechanism is uploaded to the correct location. (markt) >> > + </add> >> > </changelog> >> > </subsection> >> > <subsection name="jdbc-pool"> >> > >> > >> > --------------------------------------------------------------------- >> > To unsubscribe, e-mail: [email protected] >> > For additional commands, e-mail: [email protected] >> > >> >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [email protected] >> For additional commands, e-mail: [email protected] >> >>
