The fix is incorrect.
indexOf returns -1 when the substring is not found, not 0.
The way the current code is set forces wrong behavior.
It should be:
(relativePath.indexOf("/META-INF/") != -1) ||
(relativePath.indexOf("/WEB-INF/") != -1))
Arieh
> Mailing-List: contact [EMAIL PROTECTED]; run by ezmlm
> list-help: <mailto:[EMAIL PROTECTED]>
> list-unsubscribe: <mailto:[EMAIL PROTECTED]>
> list-post: <mailto:[EMAIL PROTECTED]>
> Delivered-To: mailing list [EMAIL PROTECTED]
> Delivered-To: [EMAIL PROTECTED]
> From: [EMAIL PROTECTED]
> To: [EMAIL PROTECTED]
> Subject: cvs commit: jakarta-tomcat/src/share/org/apache/tomcat/request
>SimpleMapper1.java
StaticInterceptor.java
>
> craigmcc 00/12/11 09:52:31
>
> Modified: src/share/org/apache/tomcat/request Tag: tomcat_32
> SimpleMapper1.java StaticInterceptor.java
> Log:
> Fix a security vulnerability that would display the contents of sensitive
> files when a URL like this was used:
>
> http://localhost:8080/examples//WEB-INF/web.xml
>
> This vulnerability appears on Linux (and any other OS that ignores "//" in
> the middle of a pathname), but not on Windows.
>
> Submitted by: Ramon Cacha <[EMAIL PROTECTED]>
> PR: BugRat Bug Report #565
>
> Revision Changes Path
> No revision
>
>
> No revision
>
>
> 1.15.2.4 +2 -2
jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java
>
> Index: SimpleMapper1.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/SimpleMapper1.java,v
> retrieving revision 1.15.2.3
> retrieving revision 1.15.2.4
> diff -u -r1.15.2.3 -r1.15.2.4
> --- SimpleMapper1.java 2000/12/01 03:00:41 1.15.2.3
> +++ SimpleMapper1.java 2000/12/11 17:52:30 1.15.2.4
> @@ -343,8 +343,8 @@
> requestURI.substring(contextPath.length()).toUpperCase();
> if (relativePath.equals("/META-INF") ||
> relativePath.equals("/WEB-INF") ||
> - relativePath.startsWith("/META-INF/") ||
> - relativePath.startsWith("/WEB-INF/"))
> + (relativePath.indexOf("/META-INF/") != 0) ||
> + (relativePath.indexOf("/WEB-INF/") != 0))
> return 404;
>
> return OK;
>
>
>
> 1.7.2.5 +3 -1
jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java
>
> Index: StaticInterceptor.java
> ===================================================================
> RCS file:
/home/cvs/jakarta-tomcat/src/share/org/apache/tomcat/request/StaticInterceptor.java,v
> retrieving revision 1.7.2.4
> retrieving revision 1.7.2.5
> diff -u -r1.7.2.4 -r1.7.2.5
> --- StaticInterceptor.java 2000/11/07 22:52:52 1.7.2.4
> +++ StaticInterceptor.java 2000/12/11 17:52:30 1.7.2.5
> @@ -418,7 +418,9 @@
>
> String relPathU=relPath.toUpperCase();
> if ( relPathU.startsWith("WEB-INF") ||
> - relPathU.startsWith("META-INF")) {
> + relPathU.startsWith("META-INF") ||
> + (relPathU.indexOf("/WEB-INF/") != 0) ||
> + (relPathU.indexOf("/META-INF/") != 0) ) {
> return null;
> }
> }
>
>
>
--
Arieh Markel Sun Microsystems Inc.
Network Storage 500 Eldorado Blvd. MS UBRM11-194
e-mail: [EMAIL PROTECTED] Broomfield, CO 80021
Let's go Panthers !!!! Phone: (303) 272-8547 x78547
(e-mail me with subject SEND PUBLIC KEY to get public key)