Skip to content
Permalink
Browse files Browse the repository at this point in the history
Merge pull request #5989 from luiseufrasio/FISH-6603
Fish-6603 New 0-day vulnerability exploit using ROOT context root deployments
  • Loading branch information
Pandrex247 committed Oct 24, 2022
2 parents b3a169d + 327e451 commit cccdfdd
Show file tree
Hide file tree
Showing 2 changed files with 16 additions and 4 deletions.
Expand Up @@ -68,6 +68,7 @@
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;
import java.util.Locale;
import java.util.regex.Pattern;

import org.glassfish.grizzly.utils.Charsets;

Expand Down Expand Up @@ -97,6 +98,11 @@

private StandardContext context = null;

private static final Pattern PATTERN_META_INF = Pattern.compile("[.]{2}[/]?.*[/](META-INF[/].*|META-INF$)",
Pattern.CASE_INSENSITIVE);

private static final Pattern PATTERN_WEB_INF = Pattern.compile("[.]{2}[/]?.*[/](WEB-INF[/].*|WEB-INF$)",
Pattern.CASE_INSENSITIVE);

// ------------------------------------------------------------- Properties

Expand Down Expand Up @@ -294,12 +300,13 @@ protected String normalize(String path) {
if (rv.indexOf("./") == 0) {
rv = rv.replaceFirst("./", "/");
}
// has /WEB-INF or /META-INF
final String RV = rv.toUpperCase();
int index = RV.indexOf("/WEB-INF/");
if (index != -1 || RV.endsWith("/WEB-INF")) {
// has ../*/WEB-INF/* or ../*/META-INF/*
if (PATTERN_WEB_INF.matcher(rv).find()) {
return "/WEB-INF";
}
if (PATTERN_META_INF.matcher(rv).find()) {
return "/META-INF";
}

// Normalize the slashes and add leading slash if necessary
if (rv.indexOf('\\') >= 0) {
Expand Down
Expand Up @@ -97,6 +97,7 @@ public void normalizeURLTest() {
String path2 = "/app/./some/./something/./my.jsp";
String path3 = "./my.jsp";
String path4 = "../app/WEB-INF/web.xml";
String path5 = "../app/META-INF/MANIFEST.MF";

String result = standardContextValve.normalize(path1);

Expand All @@ -113,6 +114,10 @@ public void normalizeURLTest() {
result = standardContextValve.normalize(path4);

assertEquals("/WEB-INF", result);

result = standardContextValve.normalize(path5);

assertEquals("/META-INF", result);
}

protected void verifyThatResourceIsNotFound(int pipelineResult, int times, HttpRequest httpRequest, HttpResponse httpResponse,
Expand Down

0 comments on commit cccdfdd

Please sign in to comment.