2011/8/22 sebb <seb...@gmail.com>: > On 13 July 2011 14:28, <ma...@apache.org> wrote: >> Author: markt >> Date: Wed Jul 13 13:28:24 2011 >> New Revision: 1146005 >> >> URL: http://svn.apache.org/viewvc?rev=1146005&view=rev >> Log: >> When running under a security manager and using sendfile, validate sendfile >> attributes to prevent sendfile being used to bypass the security manager. >> Part of the fix for CVE-2011-2526 >> >> Modified: >> tomcat/trunk/java/org/apache/catalina/connector/LocalStrings.properties >> tomcat/trunk/java/org/apache/catalina/connector/Request.java >>
>> --- tomcat/trunk/java/org/apache/catalina/connector/Request.java (original) >> +++ tomcat/trunk/java/org/apache/catalina/connector/Request.java Wed Jul 13 >> 13:28:24 2011 >> @@ -1525,6 +1525,26 @@ public class Request >> return; >> } >> >> + // Do the security check before any updates are made >> + if (Globals.IS_SECURITY_ENABLED && >> + name.equals("org.apache.tomcat.sendfile.filename")) { > > IMO this "magic string" should be a constant - as is done earlier in the file: > > ... name.equals(Globals.DISPATCHER_REQUEST_PATH_ATTR) ... > You are right. Actually there are three magic strings used by sendfile (filename + range bounds). (It could not be done in r1146005 in order to reduce noise in a security patch). Best regards, Konstantin Kolinko --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org