Author: markt Date: Wed Jul 13 13:28:24 2011 New Revision: 1146005 URL: http://svn.apache.org/viewvc?rev=1146005&view=rev Log: When running under a security manager and using sendfile, validate sendfile attributes to prevent sendfile being used to bypass the security manager. Part of the fix for CVE-2011-2526
Modified: tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties tomcat/trunk/java/org/apache/catalina/connector/Request.java Modified: tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties?rev=1146005&r1=1146004&r2=1146005&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties (original) +++ tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties Wed Jul 13 13:28:24 2011 @@ -66,6 +66,7 @@ coyoteRequest.noLoginConfig=No authentic coyoteRequest.authenticate.ise=Cannot call authenticate() after the reponse has been committed coyoteRequest.uploadLocationInvalid=The temporary upload location [{0}] is not valid coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request +coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade Modified: tomcat/trunk/java/org/apache/catalina/connector/Request.java URL: http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/connector/Request.java?rev=1146005&r1=1146004&r2=1146005&view=diff ============================================================================== --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 13:28:24 2011 @@ -1525,6 +1525,26 @@ public class Request return; } + // Do the security check before any updates are made + if (Globals.IS_SECURITY_ENABLED && + name.equals("org.apache.tomcat.sendfile.filename")) { + // Use the canonical file name to avoid any possible symlink and + // relative path issues + String canonicalPath; + try { + canonicalPath = new File(value.toString()).getCanonicalPath(); + } catch (IOException e) { + throw new SecurityException(sm.getString( + "coyoteRequest.sendfileNotCanonical", value), e); + } + // Sendfile is performed in Tomcat's security context so need to + // check if the web app is permitted to access the file while still + // in the web app's security context + System.getSecurityManager().checkRead(canonicalPath); + // Update the value so the canonical path is used + value = canonicalPath; + } + oldValue = attributes.put(name, value); if (oldValue != null) { replaced = true; --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org