Fix https://bz.apache.org/bugzilla/show_bug.cgi?id=61542

Remainder of fix for CVE-2017-12617 This ensures that a path specified for creation of a file does not end in '/' since that is dropped by the File API. git-svn-id: https://svn.apache.org/repos/asf/tomcat/tc7.0.x/trunk@1809293 13f79535-47bb-0310-9956-ffa450edef68
apache · Sep 22, 2017 · 327e8a6 · 327e8a6
1 parent 512a3c3
commit 327e8a6
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/java/org/apache/naming/resources/FileDirContext.java b/java/org/apache/naming/resources/FileDirContext.java
@@ -476,11 +476,16 @@ public void modifyAttributes(String name, ModificationItem[] mods)
      * @exception NamingException if a naming exception is encountered
      */
     @Override
-    public void bind(String name, Object obj, Attributes attrs)
-        throws NamingException {
+    public void bind(String name, Object obj, Attributes attrs) throws NamingException {
 
         // Note: No custom attributes allowed
 
+        // bind() is meant to create a file so ensure that the path doesn't end
+        // in '/'
+        if (name.endsWith("/")) {
+            throw new NamingException(sm.getString("resources.bindFailed", name));
+        }
+
         File file = file(name, false);
         if (file == null) {
             throw new NamingException(sm.getString("resources.bindFailed", name));

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -90,6 +90,11 @@
         <code>DirContext</code> that represented the web application in a
         <code>ProxyDirContext</code> twice rather than just once. (markt)
       </fix>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">