diff --git a/java/org/apache/naming/resources/FileDirContext.java b/java/org/apache/naming/resources/FileDirContext.java
index 2c94a80bd4e..b7dc1080da3 100644
--- a/java/org/apache/naming/resources/FileDirContext.java
+++ b/java/org/apache/naming/resources/FileDirContext.java
@@ -476,11 +476,16 @@ public void modifyAttributes(String name, ModificationItem[] mods)
* @exception NamingException if a naming exception is encountered
*/
@Override
- public void bind(String name, Object obj, Attributes attrs)
- throws NamingException {
+ public void bind(String name, Object obj, Attributes attrs) throws NamingException {
// Note: No custom attributes allowed
+ // bind() is meant to create a file so ensure that the path doesn't end
+ // in '/'
+ if (name.endsWith("/")) {
+ throw new NamingException(sm.getString("resources.bindFailed", name));
+ }
+
File file = file(name, false);
if (file == null) {
throw new NamingException(sm.getString("resources.bindFailed", name));
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 2db8b6205a7..5361d73bc2f 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -90,6 +90,11 @@
DirContext
that represented the web application in a
ProxyDirContext
twice rather than just once. (markt)
+
+ 61542: Fix CVE-2017-12617 and prevent JSPs from being
+ uploaded via a specially crafted request when HTTP PUT was enabled.
+ (markt)
+