(tomcat) branch 9.0.x updated: Remove unnecessary checks.

Mon, 18 May 2026 03:14:21 -0700 

This is an automated email from the ASF dual-hosted git repository.

markt-asf pushed a commit to branch 9.0.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/9.0.x by this push:
     new 39d0207cd1 Remove unnecessary checks.
39d0207cd1 is described below

commit 39d0207cd1fe01c05f968a9e9422a46c181793f2
Author: Mark Thomas <[email protected]>
AuthorDate: Mon May 18 11:12:46 2026 +0100

    Remove unnecessary checks.
    
    The later normalization checks are more accurate and more comprehensive.
---
 java/org/apache/catalina/ssi/LocalStrings.properties         | 1 -
 java/org/apache/catalina/ssi/LocalStrings_fr.properties      | 1 -
 java/org/apache/catalina/ssi/LocalStrings_ja.properties      | 1 -
 java/org/apache/catalina/ssi/LocalStrings_ko.properties      | 1 -
 java/org/apache/catalina/ssi/LocalStrings_zh_CN.properties   | 1 -
 java/org/apache/catalina/ssi/SSIServletExternalResolver.java | 8 ++------
 webapps/docs/changelog.xml                                   | 4 ++++
 7 files changed, 6 insertions(+), 11 deletions(-)

diff --git a/java/org/apache/catalina/ssi/LocalStrings.properties 
b/java/org/apache/catalina/ssi/LocalStrings.properties
index 450cd53703..7fe8a96c31 100644
--- a/java/org/apache/catalina/ssi/LocalStrings.properties
+++ b/java/org/apache/catalina/ssi/LocalStrings.properties
@@ -42,7 +42,6 @@ ssiServletExternalResolver.noFile=File [{0}] not found
 ssiServletExternalResolver.noIncludeFile=Include file [{0}] not found
 ssiServletExternalResolver.noResource=Context did not contain resource [{0}]
 ssiServletExternalResolver.normalizationError=Normalization returned null for 
path [{0}]
-ssiServletExternalResolver.pathTraversalNonVirtualPath=Non virtual path [{0}] 
cannot contain path traversal sequences
 ssiServletExternalResolver.removeFilenameError=Cannot remove filename from 
path [{0}]
 ssiServletExternalResolver.requestDispatcherError=Cannot get request 
dispatcher for path [{0}]
 
diff --git a/java/org/apache/catalina/ssi/LocalStrings_fr.properties 
b/java/org/apache/catalina/ssi/LocalStrings_fr.properties
index b14c522e73..c6f61d7f06 100644
--- a/java/org/apache/catalina/ssi/LocalStrings_fr.properties
+++ b/java/org/apache/catalina/ssi/LocalStrings_fr.properties
@@ -42,7 +42,6 @@ ssiServletExternalResolver.noFile=Le fichier [{0}] n''a pas 
été trouvé
 ssiServletExternalResolver.noIncludeFile=Le fichier inclus [{0}] n''a pas été 
trouvé
 ssiServletExternalResolver.noResource=Le contexte ne contenait pas la 
ressource [{0}]
 ssiServletExternalResolver.normalizationError=La normalisation du chemin [{0}] 
a retourné null
-ssiServletExternalResolver.pathTraversalNonVirtualPath=Le chemin non virtuel 
[{0}] ne peut contenir des séquences de navigation dans le chemin
 ssiServletExternalResolver.removeFilenameError=Impossible de supprimer le nom 
de fichier du chemin [{0}]
 ssiServletExternalResolver.requestDispatcherError=Impossible d''obtenir le 
dispatcher de requêtes pour le chemin [{0}]
 
diff --git a/java/org/apache/catalina/ssi/LocalStrings_ja.properties 
b/java/org/apache/catalina/ssi/LocalStrings_ja.properties
index 708a7562b6..7eb95a09eb 100644
--- a/java/org/apache/catalina/ssi/LocalStrings_ja.properties
+++ b/java/org/apache/catalina/ssi/LocalStrings_ja.properties
@@ -42,7 +42,6 @@ ssiServletExternalResolver.noFile=ファイル[{0}]が見つかりません
 ssiServletExternalResolver.noIncludeFile=インクルードファイル[{0}]が見つかりません
 ssiServletExternalResolver.noResource=コンテキストにリソース [{0}] が含まれていません
 ssiServletExternalResolver.normalizationError=パス [{0}] の正規化によってNULLが返されました
-ssiServletExternalResolver.pathTraversalNonVirtualPath=非仮想パス [{0}] 
にはパストラバーサルシーケンスを含めることはできません
 ssiServletExternalResolver.removeFilenameError=パス [{0}] のファイル名を削除できません
 ssiServletExternalResolver.requestDispatcherError=パス [{0}] 
のリクエストディスパッチャを取得できません
 
diff --git a/java/org/apache/catalina/ssi/LocalStrings_ko.properties 
b/java/org/apache/catalina/ssi/LocalStrings_ko.properties
index b90102c489..3746447740 100644
--- a/java/org/apache/catalina/ssi/LocalStrings_ko.properties
+++ b/java/org/apache/catalina/ssi/LocalStrings_ko.properties
@@ -42,7 +42,6 @@ ssiServletExternalResolver.noFile=파일 [{0}]을(를) 찾을 수 없습니다.
 ssiServletExternalResolver.noIncludeFile=Include할 파일 [{0}]을(를) 찾을 수 없습니다.
 ssiServletExternalResolver.noResource=컨텍스트가 리소스 [{0}]을(를) 포함하지 않았습니다.
 ssiServletExternalResolver.normalizationError=경로 [{0}]을(를) 위한 정규화가 널을 반환했습니다.
-ssiServletExternalResolver.pathTraversalNonVirtualPath=비가상경로 [{0}]은(는), 디렉토리를 
이동하는 문자열 시퀀스를 포함해서는 안됩니다.
 ssiServletExternalResolver.removeFilenameError=경로 [{0}](으)로부터, 파일 이름을 제외한 나머지 
경로를 구할 수 없습니다.
 ssiServletExternalResolver.requestDispatcherError=경로 [{0}]을(를) 위한 요청 디스패처를 얻을 
수 없습니다.
 
diff --git a/java/org/apache/catalina/ssi/LocalStrings_zh_CN.properties 
b/java/org/apache/catalina/ssi/LocalStrings_zh_CN.properties
index 5c1140d9f5..69634b31d4 100644
--- a/java/org/apache/catalina/ssi/LocalStrings_zh_CN.properties
+++ b/java/org/apache/catalina/ssi/LocalStrings_zh_CN.properties
@@ -42,7 +42,6 @@ ssiServletExternalResolver.noFile=找不到文件[{0}]
 ssiServletExternalResolver.noIncludeFile=未找到包含文件[{0}]
 ssiServletExternalResolver.noResource=上下文不包含资源[{0}]
 ssiServletExternalResolver.normalizationError=规范化为路径[{0}]返回了空值
-ssiServletExternalResolver.pathTraversalNonVirtualPath=非虚拟路径[{0}]不能包含路径遍历序列
 ssiServletExternalResolver.removeFilenameError=无法从路径[{0}]中删除文件名
 ssiServletExternalResolver.requestDispatcherError=无法获取路径[{0}]的请求调度程序
 
diff --git a/java/org/apache/catalina/ssi/SSIServletExternalResolver.java 
b/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
index ba7ec19978..faf18015e5 100644
--- a/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
+++ b/java/org/apache/catalina/ssi/SSIServletExternalResolver.java
@@ -491,13 +491,9 @@ public class SSIServletExternalResolver implements 
SSIExternalResolver {
      */
     protected ServletContextAndPath 
getServletContextAndPathFromNonVirtualPath(String nonVirtualPath)
             throws IOException {
-        if (nonVirtualPath.startsWith("/") || nonVirtualPath.startsWith("\\")) 
{
+        if (nonVirtualPath.startsWith("/")) {
             throw new 
IOException(sm.getString("ssiServletExternalResolver.absoluteNonVirtualPath", 
nonVirtualPath));
         }
-        if (nonVirtualPath.contains("../")) {
-            throw new IOException(
-                    
sm.getString("ssiServletExternalResolver.pathTraversalNonVirtualPath", 
nonVirtualPath));
-        }
         return new ServletContextAndPath(context, 
getAbsolutePath(nonVirtualPath));
     }
 
@@ -513,7 +509,7 @@ public class SSIServletExternalResolver implements 
SSIExternalResolver {
      */
     protected ServletContextAndPath 
getServletContextAndPathFromVirtualPath(String virtualPath) throws IOException {
 
-        if (!virtualPath.startsWith("/") && !virtualPath.startsWith("\\")) {
+        if (!virtualPath.startsWith("/")) {
             return new ServletContextAndPath(context, 
getAbsolutePath(virtualPath));
         }
 
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index da44438fac..293a35b58e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -118,6 +118,10 @@
         Prevent duplicate log messages when clustering JARs are not present on
         startup. (csutherl)
       </fix>
+      <scode>
+        Remove unnecessary code from the SSI processing engine that was
+        duplicating some of the normalisation checks. (markt)
+      </scode>
     </changelog>
   </subsection>
   <subsection name="Coyote">


---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to