Skip to content

Commit

Permalink
Merge pull request #5989 from luiseufrasio/FISH-6603
Browse files Browse the repository at this point in the history
Fish-6603 New 0-day vulnerability exploit using ROOT context root deployments
  • Loading branch information
Pandrex247 committed Oct 24, 2022
2 parents b3a169d + 327e451 commit cccdfdd
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -68,6 +68,7 @@
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Locale;
import java.util.regex.Pattern;

import org.glassfish.grizzly.utils.Charsets;

Expand Down Expand Up @@ -97,6 +98,11 @@ final class StandardContextValve

private StandardContext context = null;

private static final Pattern PATTERN_META_INF = Pattern.compile("[.]{2}[/]?.*[/](META-INF[/].*|META-INF$)",
Pattern.CASE_INSENSITIVE);

private static final Pattern PATTERN_WEB_INF = Pattern.compile("[.]{2}[/]?.*[/](WEB-INF[/].*|WEB-INF$)",
Pattern.CASE_INSENSITIVE);

// ------------------------------------------------------------- Properties

Expand Down Expand Up @@ -294,12 +300,13 @@ protected String normalize(String path) {
if (rv.indexOf("./") == 0) {
rv = rv.replaceFirst("./", "/");
}
// has /WEB-INF or /META-INF
final String RV = rv.toUpperCase();
int index = RV.indexOf("/WEB-INF/");
if (index != -1 || RV.endsWith("/WEB-INF")) {
// has ../*/WEB-INF/* or ../*/META-INF/*
if (PATTERN_WEB_INF.matcher(rv).find()) {
return "/WEB-INF";
}
if (PATTERN_META_INF.matcher(rv).find()) {
return "/META-INF";
}

// Normalize the slashes and add leading slash if necessary
if (rv.indexOf('\\') >= 0) {
Expand Down
Original file line number Diff line number Diff line change
Expand Up @@ -97,6 +97,7 @@ public void normalizeURLTest() {
String path2 = "/app/./some/./something/./my.jsp";
String path3 = "./my.jsp";
String path4 = "../app/WEB-INF/web.xml";
String path5 = "../app/META-INF/MANIFEST.MF";

String result = standardContextValve.normalize(path1);

Expand All @@ -113,6 +114,10 @@ public void normalizeURLTest() {
result = standardContextValve.normalize(path4);

assertEquals("/WEB-INF", result);

result = standardContextValve.normalize(path5);

assertEquals("/META-INF", result);
}

protected void verifyThatResourceIsNotFound(int pipelineResult, int times, HttpRequest httpRequest, HttpResponse httpResponse,
Expand Down

1 comment on commit cccdfdd

@xhl1027
Copy link

@xhl1027 xhl1027 commented on cccdfdd Aug 5, 2023

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

How to use this to fix it ?

Please sign in to comment.