packages/tomcat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
tomcat/CVE-2021-25329-pre3.patch

145 lines
6.5 KiB
Diff
Raw Normal View History

fix CVE-2021-25122 and CVE-2021-25329
2021-03-12 10:25:17 +08:00
From 2c5066316f6b138c4130a87cae4db05d75afe150 Mon Sep 17 00:00:00 2001
From: wang_yue111 <648774160@qq.com>
Date: Fri, 12 Mar 2021 09:44:04 +0800
Subject: [PATCH] 2
---
.../catalina/startup/ContextConfig.java | 75 ++++++++++---------
1 file changed, 41 insertions(+), 34 deletions(-)
diff --git a/java/org/apache/catalina/startup/ContextConfig.java b/java/org/apache/catalina/startup/ContextConfig.java
index 89eb8d3..a4210f8 100644
--- a/java/org/apache/catalina/startup/ContextConfig.java
+++ b/java/org/apache/catalina/startup/ContextConfig.java
@@ -566,25 +566,29 @@ public class ContextConfig implements LifecycleListener {
Host host = (Host) context.getParent();
File appBase = host.getAppBaseFile();
- String docBase = context.getDocBase();
- if (docBase == null) {
+ // This could be blank, relative, absolute or canonical
+ String docBaseConfigured = context.getDocBase();
+ // If there is no explicit docBase, derive it from the path and version
+ if (docBaseConfigured == null) {
// Trying to guess the docBase according to the path
String path = context.getPath();
if (path == null) {
return;
}
ContextName cn = new ContextName(path, context.getWebappVersion());
- docBase = cn.getBaseName();
+ docBaseConfigured = cn.getBaseName();
}
- File file = new File(docBase);
- if (!file.isAbsolute()) {
- docBase = (new File(appBase, docBase)).getAbsolutePath();
- } else {
- docBase = file.getAbsolutePath();
- }
- file = new File(docBase);
- String origDocBase = docBase;
+ // Obtain the absolute docBase in String and File form
+ String docBaseAbsolute;
+ File docBaseConfiguredFile = new File(docBaseConfigured);
+ if (!docBaseConfiguredFile.isAbsolute()) {
+ docBaseAbsolute = (new File(appBase, docBaseConfigured)).getAbsolutePath();
+ } else {
+ docBaseAbsolute = docBaseConfiguredFile.getAbsolutePath();
+ }
+ File docBaseAbsoluteFile = new File(docBaseAbsolute);
+ String originalDocBase = docBaseAbsolute;
ContextName cn = new ContextName(context.getPath(), context.getWebappVersion());
String pathName = cn.getBaseName();
@@ -597,28 +601,29 @@ public class ContextConfig implements LifecycleListener {
}
}
- boolean docBaseInAppBase = docBase.startsWith(appBase.getPath() + File.separatorChar);
-
- if (docBase.toLowerCase(Locale.ENGLISH).endsWith(".war") && !file.isDirectory()) {
- URL war = UriUtil.buildJarUrl(new File(docBase));
+ // At this point we need to determine if we have a WAR file in the
+ // appBase that needs to be expanded. Therefore we consider the absolute
+ // docBase NOT the canonical docBase. This is because some users symlink
+ // WAR files into the appBase and we want this to work correctly.
+ boolean docBaseAbsoluteInAppBase = docBaseAbsolute.startsWith(appBase.getPath() + File.separatorChar);
+ if (docBaseAbsolute.toLowerCase(Locale.ENGLISH).endsWith(".war") && !docBaseAbsoluteFile.isDirectory()) {
+ URL war = UriUtil.buildJarUrl(docBaseAbsoluteFile);
if (unpackWARs) {
- docBase = ExpandWar.expand(host, war, pathName);
- file = new File(docBase);
- docBase = file.getCanonicalPath();
+ docBaseAbsolute = ExpandWar.expand(host, war, pathName);
+ docBaseAbsoluteFile = new File(docBaseAbsolute);
if (context instanceof StandardContext) {
- ((StandardContext) context).setOriginalDocBase(origDocBase);
+ ((StandardContext) context).setOriginalDocBase(originalDocBase);
}
} else {
ExpandWar.validate(host, war, pathName);
}
} else {
- File docDir = new File(docBase);
- File warFile = new File(docBase + ".war");
+ File docBaseAbsoluteFileWar = new File(docBaseAbsolute + ".war");
URL war = null;
- if (warFile.exists() && docBaseInAppBase) {
- war = UriUtil.buildJarUrl(warFile);
+ if (docBaseAbsoluteFileWar.exists() && docBaseAbsoluteInAppBase) {
+ war = UriUtil.buildJarUrl(docBaseAbsoluteFileWar);
}
- if (docDir.exists()) {
+ if (docBaseAbsoluteFile.exists()) {
if (war != null && unpackWARs) {
// Check if WAR needs to be re-expanded (e.g. if it has
// changed). Note: HostConfig.deployWar() takes care of
@@ -629,31 +634,33 @@ public class ContextConfig implements LifecycleListener {
} else {
if (war != null) {
if (unpackWARs) {
- docBase = ExpandWar.expand(host, war, pathName);
- file = new File(docBase);
- docBase = file.getCanonicalPath();
+ docBaseAbsolute = ExpandWar.expand(host, war, pathName);
+ docBaseAbsoluteFile = new File(docBaseAbsolute);
} else {
- docBase = warFile.getCanonicalPath();
+ docBaseAbsolute = docBaseAbsoluteFileWar.getAbsolutePath();
+ docBaseAbsoluteFile = docBaseAbsoluteFileWar;
ExpandWar.validate(host, war, pathName);
}
}
if (context instanceof StandardContext) {
- ((StandardContext) context).setOriginalDocBase(origDocBase);
+ ((StandardContext) context).setOriginalDocBase(originalDocBase);
}
}
}
- // Re-calculate now docBase is a canonical path
- docBaseInAppBase = docBase.startsWith(appBase.getPath() + File.separatorChar);
+ String docBaseCanonical = docBaseAbsoluteFile.getCanonicalPath();
- if (docBaseInAppBase) {
- docBase = docBase.substring(appBase.getPath().length());
+ // Re-calculate now docBase is a canonical path
+ boolean docBaseCanonicalInAppBase = docBaseCanonical.startsWith(appBase.getPath() + File.separatorChar);
+ String docBase;
+ if (docBaseCanonicalInAppBase) {
+ docBase = docBaseCanonical.substring(appBase.getPath().length());
docBase = docBase.replace(File.separatorChar, '/');
if (docBase.startsWith("/")) {
docBase = docBase.substring(1);
}
} else {
- docBase = docBase.replace(File.separatorChar, '/');
+ docBase = docBaseCanonical.replace(File.separatorChar, '/');
}
context.setDocBase(docBase);
--
2.23.0
Reference in New Issue Copy Permalink