tomcat/CVE-2022-23181.patch

From 1385c624b4a1e994426e810075c850edc38a700e Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Wed, 12 Jan 2022 11:11:29 +0000
Subject: [PATCH] Make calculation of session storage location more robust

---
 java/org/apache/catalina/session/FileStore.java | 5 +++--
 1 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
index cac6027abdc..e42a72a4c87 100644
--- a/java/org/apache/catalina/session/FileStore.java
+++ b/java/org/apache/catalina/session/FileStore.java
@@ -349,13 +349,14 @@ private File file(String id) throws IOException {
 
         String filename = id + FILE_EXT;
         File file = new File(storageDir, filename);
+        File canonicalFile = file.getCanonicalFile();
 
         // Check the file is within the storage directory
-        if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+        if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
             log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
             return null;
         }
 
-        return file;
+        return canonicalFile;
     }
 }
Fix CVE-2022-23181 (cherry picked from commit 002e53906d56d1be5c33056a57c3bdc7af994e32) 2022-02-18 10:47:30 +08:00			`From 1385c624b4a1e994426e810075c850edc38a700e Mon Sep 17 00:00:00 2001`
			`From: Mark Thomas <markt@apache.org>`
			`Date: Wed, 12 Jan 2022 11:11:29 +0000`
			`Subject: [PATCH] Make calculation of session storage location more robust`

			`---`
			`java/org/apache/catalina/session/FileStore.java \| 5 +++--`
			`1 files changed, 3 insertions(+), 2 deletions(-)`

			`diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java`
			`index cac6027abdc..e42a72a4c87 100644`
			`--- a/java/org/apache/catalina/session/FileStore.java`
			`+++ b/java/org/apache/catalina/session/FileStore.java`
			`@@ -349,13 +349,14 @@ private File file(String id) throws IOException {`

			`String filename = id + FILE_EXT;`
			`File file = new File(storageDir, filename);`
			`+ File canonicalFile = file.getCanonicalFile();`

			`// Check the file is within the storage directory`
			`- if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {`
			`+ if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {`
			`log.warn(sm.getString("fileStore.invalid", file.getPath(), id));`
			`return null;`
			`}`

			`- return file;`
			`+ return canonicalFile;`
			`}`
			`}`