packages/tomcat
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2021-24122

Browse Source
This commit is contained in:
wangxiao65 2021-02-18 14:45:52 +08:00
parent a4060beb73
commit b742026da2
2 changed files with 81 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
CVE-2021-24122.patch Normal file
View File

@ -0,0 +1,73 @@
From 935fc5582dc25ae10bab6f9d5629ff8d996cb533 Mon Sep 17 00:00:00 2001
From: Mark Thomas <markt@apache.org>
Date: Fri, 6 Nov 2020 19:03:57 +0000
Subject: [PATCH] Fix BZ 64871. Log if file access is blocked due to symlinks
https://bz.apache.org/bugzilla/show_bug.cgi?id=64871
---
.../webresources/AbstractFileResourceSet.java | 19 ++++++++++++++++++-
.../webresources/LocalStrings.properties | 2 ++
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
index c7993411e9..59fc77157f 100644
--- a/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
+++ b/java/org/apache/catalina/webresources/AbstractFileResourceSet.java
@@ -22,11 +22,15 @@
import java.net.URL;
import org.apache.catalina.LifecycleException;
+import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
import org.apache.tomcat.util.compat.JrePlatform;
import org.apache.tomcat.util.http.RequestUtil;
public abstract class AbstractFileResourceSet extends AbstractResourceSet {
+ private static final Log log = LogFactory.getLog(AbstractFileResourceSet.class);
+
protected static final String[] EMPTY_STRING_ARRAY = new String[0];
private File fileBase;
@@ -128,6 +132,19 @@ protected final File file(String name, boolean mustExist) {
canPath = normalize(canPath);
}
if (!canPath.equals(absPath)) {
+ if (!canPath.equalsIgnoreCase(absPath)) {
+ // Typically means symlinks are in use but being ignored. Given
+ // the symlink was likely created for a reason, log a warning
+ // that it was ignored.
+ String msg = sm.getString("abstractFileResourceSet.canonicalfileCheckFailed",
+ getRoot().getContext().getName(), absPath, canPath);
+ // Log issues with configuration files at a higher level
+ if(absPath.startsWith("/META-INF/") || absPath.startsWith("/WEB-INF/")) {
+ log.error(msg);
+ } else {
+ log.warn(msg);
+ }
+ }
return null;
}
@@ -144,7 +161,7 @@ private boolean isInvalidWindowsFilename(String name) {
// expression irrespective of input length.
for (int i = 0; i < len; i++) {
char c = name.charAt(i);
- if (c == '\"' || c == '<' || c == '>') {
+ if (c == '\"' || c == '<' || c == '>' || c == ':') {
// These characters are disallowed in Windows file names and
// there are known problems for file names with these characters
// when using File#getCanonicalPath().
diff --git a/java/org/apache/catalina/webresources/LocalStrings.properties b/java/org/apache/catalina/webresources/LocalStrings.properties
index fb9badc120..af9f9fe797 100644
--- a/java/org/apache/catalina/webresources/LocalStrings.properties
+++ b/java/org/apache/catalina/webresources/LocalStrings.properties
@@ -15,6 +15,8 @@
abstractArchiveResourceSet.setReadOnlyFalse=Archive based WebResourceSets such as those based on JARs are hard-coded to be read-only and may not be configured to be read-write
+abstractFileResourceSet.canonicalfileCheckFailed=Resource for web application [{0}] at path [{1}] was not loaded as the canonical path [{2}] did not match. Use of symlinks is one possible cause.
+
abstractResource.getContentFail=Unable to return [{0}] as a byte array
abstractResource.getContentTooLarge=Unable to return [{0}] as a byte array since the resource is [{1}] bytes in size which is larger than the maximum size of a byte array

9
tomcat.spec
View File

@ -13,7 +13,7 @@
Name: tomcat Name: tomcat
Epoch: 1 Epoch: 1
Version: %{major_version}.%{minor_version}.%{micro_version} Version: %{major_version}.%{minor_version}.%{micro_version}
Release: 16 Release: 17
Summary: Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies Summary: Implementation of the Java Servlet, JavaServer Pages, Java Expression Language and Java WebSocket technologies
License: ASL 2.0 License: ASL 2.0
URL: http://tomcat.apache.org/ URL: http://tomcat.apache.org/
@ -75,6 +75,7 @@ Patch6029: CVE-2020-13943-2.patch
Patch6030: CVE-2020-13943-3.patch Patch6030: CVE-2020-13943-3.patch
Patch6031: CVE-2020-13943-4.patch Patch6031: CVE-2020-13943-4.patch
Patch6032: CVE-2020-17527.patch Patch6032: CVE-2020-17527.patch
Patch6033: CVE-2021-24122.patch
BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon BuildRequires: ecj >= 1:4.6.1 findutils apache-commons-collections apache-commons-daemon
BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant BuildRequires: apache-commons-dbcp apache-commons-pool tomcat-taglibs-standard ant
@ -476,6 +477,12 @@ fi
%{_javadocdir}/%{name} %{_javadocdir}/%{name}
%changelog %changelog
* Thu Feb 18 2021 wangxiao <wangxiao65@huawei.com> - 1:9.0.10-17
- Type:cve
- ID: CVE-2021-24122
- SUG:restart
- DESC: fix CVE-2021-24122
* Sat Dec 12 2020 zhanghua <zhanghua40@huawei.com> - 1:9.0.10-16 * Sat Dec 12 2020 zhanghua <zhanghua40@huawei.com> - 1:9.0.10-16
- Type:cve - Type:cve
- ID: CVE-2020-17527 - ID: CVE-2020-17527