Redefine globalXsltFile as relative to CATALINA_BASE/conf or CATALINA…

…_HOME/conf

This is part 1 of 2 of the fix for CVE-2014-0096


git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@1578610 13f79535-47bb-0310-9956-ffa450edef68

conf/web.xml

@@ -88,10 +88,10 @@
   <!--                       globalXsltFile[null]                           -->
   <!--                                                                      -->
   <!--   globalXsltFile      Site wide configuration version of             -->
-  <!--                       localXsltFile This argument is expected        -->
-  <!--                       to be a physical file. [null]                  -->
-  <!--                                                                      -->
-  <!--                                                                      -->
+  <!--                       localXsltFile. This argument must be a         -->
+  <!--                       relative path that points to a location below  -->
+  <!--                       either $CATALINA_BASE/conf (checked first)     -->
+  <!--                       or $CATALINA_BASE/conf (checked second).[null] -->
 
     <servlet>
         <servlet-name>default</servlet-name>

java/org/apache/catalina/Container.java

@@ -414,7 +414,13 @@ public void logAccess(Request request, Response response, long time,
 
 
     /**
-     *
+     * Obtain the location of CATALINA_BASE.
      */
     public File getCatalinaBase();
+
+
+    /**
+     * Obtain the location of CATALINA_HOME.
+     */
+    public File getCatalinaHome();
 }

java/org/apache/catalina/core/ContainerBase.java

@@ -1155,6 +1155,17 @@ public File getCatalinaBase() {
     }
 
 
+    @Override
+    public File getCatalinaHome() {
+
+        if (parent == null) {
+            return null;
+        }
+
+        return parent.getCatalinaHome();
+    }
+
+
     // ------------------------------------------------------ Protected Methods
 
     /**

java/org/apache/catalina/core/StandardEngine.java

@@ -374,6 +374,22 @@ public File getCatalinaBase() {
     }
 
 
+    @Override
+    public File getCatalinaHome() {
+        if (service != null) {
+            Server s = service.getServer();
+            if (s != null) {
+                File base = s.getCatalinaHome();
+                if (base != null) {
+                    return base;
+                }
+            }
+        }
+        // Fall-back
+        return super.getCatalinaHome();
+    }
+
+
     // -------------------- JMX registration  --------------------
 
     @Override

java/org/apache/catalina/servlets/DefaultServlet.java

@@ -34,6 +34,7 @@
 import java.util.ArrayList;
 import java.util.Enumeration;
 import java.util.Iterator;
+import java.util.Locale;
 import java.util.StringTokenizer;
 
 import javax.servlet.RequestDispatcher;
@@ -53,6 +54,7 @@
 import javax.xml.transform.stream.StreamResult;
 import javax.xml.transform.stream.StreamSource;
 
+import org.apache.catalina.Context;
 import org.apache.catalina.Globals;
 import org.apache.catalina.WebResource;
 import org.apache.catalina.WebResourceRoot;
@@ -1526,27 +1528,57 @@ protected InputStream findXsltInputStream(WebResource directory)
         /*  Open and read in file in one fell swoop to reduce chance
          *  chance of leaving handle open.
          */
-        if (globalXsltFile!=null) {
-            FileInputStream fis = null;
-
-            try {
-                File f = new File(globalXsltFile);
-                if (f.exists()){
-                    fis =new FileInputStream(f);
+        if (globalXsltFile != null) {
+            File f = validateGlobalXsltFile();
+            if (f != null && f.exists()){
+                try (FileInputStream fis = new FileInputStream(f)){
                     byte b[] = new byte[(int)f.length()]; /* danger! */
                     fis.read(b);
                     return new ByteArrayInputStream(b);
                 }
-            } finally {
-                if (fis!=null)
-                    fis.close();
             }
         }
 
         return null;
     }
 
 
+    private File validateGlobalXsltFile() {
+        Context context = resources.getContext();
+
+        File baseConf = new File(context.getCatalinaBase(), "conf");
+        File result = validateGlobalXsltFile(baseConf);
+        if (result == null) {
+            File homeConf = new File(context.getCatalinaHome(), "conf");
+            result = validateGlobalXsltFile(homeConf);
+        }
+
+        return result;
+    }
+
+
+    private File validateGlobalXsltFile(File base) {
+        File candidate = new File(base, globalXsltFile);
+
+        // First check that the resulting path is under the provided base
+        try {
+            if (!candidate.getCanonicalPath().startsWith(base.getCanonicalPath())) {
+                return null;
+            }
+        } catch (IOException ioe) {
+            return null;
+        }
+
+        // Next check that an .xlt or .xslt file has been specified
+        String nameLower = candidate.getName().toLowerCase(Locale.ENGLISH);
+        if (!nameLower.endsWith(".xslt") && !nameLower.endsWith(".xlt")) {
+            return null;
+        }
+
+        return candidate;
+    }
+
+
     // -------------------------------------------------------- protected Methods
 
 

java/org/apache/catalina/startup/FailedContext.java

@@ -689,6 +689,9 @@ public synchronized void addValve(Valve valve) { /* NO-OP */ }
     @Override
     public File getCatalinaBase() { return null; }
 
+    @Override
+    public File getCatalinaHome() { return null; }
+
     @Override
     public void setAddWebinfClassesResources(boolean addWebinfClassesResources) {
         // NO-OP

test/org/apache/catalina/core/TesterContext.java

@@ -276,6 +276,11 @@ public File getCatalinaBase() {
         return null;
     }
 
+    @Override
+    public File getCatalinaHome() {
+        return null;
+    }
+
     @Override
     public void addLifecycleListener(LifecycleListener listener) {
         // NO-OP

webapps/docs/default-servlet.xml

@@ -111,11 +111,12 @@ directory listings are disabled and debugging is turned off.
   </property>
   <property name="globalXsltFile">
         If you wish to customize your directory listing, you
-        can use an XSL transformation. This value is an absolute
-        file name which be used for all directory listings.
-        This can be overridden per context and/or per directory. See
-        <strong>contextXsltFile</strong> and <strong>localXsltFile</strong>
-        below. The format of the xml is shown below.
+        can use an XSL transformation. This value is a relative file name (to
+        either $CATALINA_BASE/conf/ or $CATALINA_HOME/conf/) which will be used
+        for all directory listings. This can be overridden per context and/or
+        per directory. See <strong>contextXsltFile</strong> and
+        <strong>localXsltFile</strong> below. The format of the xml is shown
+        below.
   </property>
   <property name="contextXsltFile">
         You may also customize your directory listing by context by