request SimpleMapper1.java StaticInterceptor.java

Arieh Markel Tue, 12 Dec 2000 08:37:30 -0800
The fix is incorrect.

indexOf returns -1 when the substring is not found, not 0.

The way the current code is set forces wrong behavior.

It should be:

        (relativePath.indexOf("/META-INF/") != -1) ||
        (relativePath.indexOf("/WEB-INF/") != -1))

Arieh

> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
> list-help: <mailto:[EMAIL PROTECTED]>
> list-unsubscribe: <mailto:[EMAIL PROTECTED]>
> list-post: <mailto:[EMAIL PROTECTED]>
> Delivered-To: mailing list [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request 
>SimpleMapper1.java 
StaticInterceptor.java
> 
> craigmcc    00/12/11 09:52:31
> 
>   Modified:    src/share/org/apache/tomcat/request Tag: tomcat_32
>                         SimpleMapper1.java StaticInterceptor.java
>   Log:
>   Fix a security vulnerability that would display the contents of sensitive
>   files when a URL like this was used:
>   
>       http://localhost:8080/examples//WEB-INF/web.xml
>   
>   This vulnerability appears on Linux (and any other OS that ignores "//" in
>   the middle of a pathname), but not on Windows.
>   
>   Submitted by: Ramon Cacha <[EMAIL PROTECTED]>
>   PR: BugRat Bug Report #565
>   
>   Revision  Changes    Path
>   No                   revision
>   
>   
>   No                   revision
>   
>   
>   1.15.2.4  +2 -2      
jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java
>   
>   Index: SimpleMapper1.java
>   ===================================================================
>   RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java,v
>   retrieving revision 1.15.2.3
>   retrieving revision 1.15.2.4
>   diff -u -r1.15.2.3 -r1.15.2.4
>   --- SimpleMapper1.java      2000/12/01 03:00:41     1.15.2.3
>   +++ SimpleMapper1.java      2000/12/11 17:52:30     1.15.2.4
>   @@ -343,8 +343,8 @@
>                requestURI.substring(contextPath.length()).toUpperCase();
>            if (relativePath.equals("/META-INF") ||
>                relativePath.equals("/WEB-INF") ||
>   -            relativePath.startsWith("/META-INF/") ||
>   -            relativePath.startsWith("/WEB-INF/"))
>   +            (relativePath.indexOf("/META-INF/") != 0) ||
>   +            (relativePath.indexOf("/WEB-INF/") != 0))
>                return 404;
>    
>       return OK;
>   
>   
>   
>   1.7.2.5   +3 -1      
jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java
>   
>   Index: StaticInterceptor.java
>   ===================================================================
>   RCS file: 
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java,v
>   retrieving revision 1.7.2.4
>   retrieving revision 1.7.2.5
>   diff -u -r1.7.2.4 -r1.7.2.5
>   --- StaticInterceptor.java  2000/11/07 22:52:52     1.7.2.4
>   +++ StaticInterceptor.java  2000/12/11 17:52:30     1.7.2.5
>   @@ -418,7 +418,9 @@
>    
>               String relPathU=relPath.toUpperCase();
>               if ( relPathU.startsWith("WEB-INF") ||
>   -                           relPathU.startsWith("META-INF")) {
>   +                     relPathU.startsWith("META-INF") ||
>   +                    (relPathU.indexOf("/WEB-INF/") != 0) ||
>   +                    (relPathU.indexOf("/META-INF/") != 0) ) {
>                       return null;
>               }
>       }
>   
>   
>   

--
 Arieh Markel                           Sun Microsystems Inc.
 Network Storage                        500 Eldorado Blvd. MS UBRM11-194
 e-mail: [EMAIL PROTECTED]           Broomfield, CO 80021
 Let's go Panthers !!!!                 Phone: (303) 272-8547 x78547
 (e-mail me with subject SEND PUBLIC KEY to get public key)
Re: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request SimpleMapper1.java StaticInterceptor.java

Reply via email to
