1
Description: fix file restriction bypass or denial of service via untrusted web application
2
Origin: upstream, http://svn.apache.org/viewvc?view=revision&revision=1146703
3
Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=634992
5
Index: tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties
6
===================================================================
7
--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/LocalStrings.properties 2011-01-20 16:36:06.000000000 -0500
8
+++ tomcat6-6.0.32/java/org/apache/catalina/connector/LocalStrings.properties 2011-10-13 16:40:14.477357566 -0400
10
coyoteRequest.parseParameters=Exception thrown whilst processing POSTed parameters
11
coyoteRequest.postTooLarge=Parameters were not parsed because the size of the posted data was too big. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
12
coyoteRequest.chunkedPostTooLarge=Parameters were not parsed because the size of the posted data was too big. Because this request was a chunked request, it could not be processed further. Use the maxPostSize attribute of the connector to resolve this if the application should accept large POSTs.
13
+coyoteRequest.sendfileNotCanonical=Unable to determine canonical name of file [{0}] specified for use with sendfile
14
coyoteRequest.sessionEndAccessFail=Exception triggered ending access to session while recycling request
16
requestFacade.nullRequest=The request object has been recycled and is no longer associated with this facade
17
Index: tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java
18
===================================================================
19
--- tomcat6-6.0.32.orig/java/org/apache/catalina/connector/Request.java 2011-02-01 22:09:54.000000000 -0500
20
+++ tomcat6-6.0.32/java/org/apache/catalina/connector/Request.java 2011-10-13 16:39:36.549356595 -0400
22
package org.apache.catalina.connector;
26
import java.io.InputStream;
27
import java.io.IOException;
28
import java.io.BufferedReader;
29
@@ -1455,6 +1456,26 @@
33
+ // Do the security check before any updates are made
34
+ if (Globals.IS_SECURITY_ENABLED &&
35
+ name.equals("org.apache.tomcat.sendfile.filename")) {
36
+ // Use the canonical file name to avoid any possible symlink and
37
+ // relative path issues
38
+ String canonicalPath;
40
+ canonicalPath = new File(value.toString()).getCanonicalPath();
41
+ } catch (IOException e) {
42
+ throw new SecurityException(sm.getString(
43
+ "coyoteRequest.sendfileNotCanonical", value), e);
45
+ // Sendfile is performed in Tomcat's security context so need to
46
+ // check if the web app is permitted to access the file while still
47
+ // in the web app's security context
48
+ System.getSecurityManager().checkRead(canonicalPath);
49
+ // Update the value so the canonical path is used
50
+ value = canonicalPath;
53
oldValue = attributes.put(name, value);
54
if (oldValue != null) {
56
Index: tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java
57
===================================================================
58
--- tomcat6-6.0.32.orig/java/org/apache/catalina/servlets/DefaultServlet.java 2011-01-20 12:08:54.000000000 -0500
59
+++ tomcat6-6.0.32/java/org/apache/catalina/servlets/DefaultServlet.java 2011-10-13 16:39:36.549356595 -0400
61
request.setAttribute("org.apache.tomcat.sendfile.start", new Long(range.start));
62
request.setAttribute("org.apache.tomcat.sendfile.end", new Long(range.end + 1));
64
- request.setAttribute("org.apache.tomcat.sendfile.token", this);
68
Index: tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java
69
===================================================================
70
--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-01-07 12:49:20.000000000 -0500
71
+++ tomcat6-6.0.32/java/org/apache/coyote/http11/Http11AprProcessor.java 2011-10-13 16:39:36.549356595 -0400
73
sendfileData.socket = socket;
74
sendfileData.keepAlive = keepAlive;
75
if (!endpoint.getSendfile().add(sendfileData)) {
77
+ if (sendfileData.socket == 0) {
78
+ // Didn't send all the data but the socket is no longer
79
+ // set. Something went wrong. Close the connection.
80
+ // Too late to set status code.
81
+ if (log.isDebugEnabled()) {
82
+ log.debug(sm.getString(
83
+ "http11processor.sendfile.error"));
92
Index: tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties
93
===================================================================
94
--- tomcat6-6.0.32.orig/java/org/apache/coyote/http11/LocalStrings.properties 2009-05-02 21:29:42.000000000 -0400
95
+++ tomcat6-6.0.32/java/org/apache/coyote/http11/LocalStrings.properties 2011-10-13 16:39:36.549356595 -0400
97
http11processor.socket.info=Exception getting socket information
98
http11processor.socket.ssl=Exception getting SSL attributes
99
http11processor.socket.timeout=Error setting socket timeout
100
+http11processor.sendfile.error=Error sending data using sendfile. May be caused by invalid request attributes for start/end points
103
# InternalInputBuffer
104
Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java
105
===================================================================
106
--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-02-01 03:07:46.000000000 -0500
107
+++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/AprEndpoint.java 2011-10-13 16:41:23.769359341 -0400
108
@@ -1812,7 +1812,9 @@
109
data.pos, data.end - data.pos, 0);
111
if (!(-nw == Status.EAGAIN)) {
112
- destroySocket(data.socket);
113
+ Pool.destroy(data.fdpool);
114
+ // No need to close socket, this will be done by
115
+ // calling code since data.socket == 0
119
Index: tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java
120
===================================================================
121
--- tomcat6-6.0.32.orig/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-01-07 13:43:39.000000000 -0500
122
+++ tomcat6-6.0.32/java/org/apache/tomcat/util/net/NioEndpoint.java 2011-10-13 16:39:36.553356596 -0400
123
@@ -1734,6 +1734,13 @@
125
sd.length -= written;
128
+ // Unusual not to be able to transfer any bytes
129
+ // Check the length was set correctly
130
+ if (sd.fchannel.size() <= sd.pos) {
131
+ throw new IOException("Sendfile configured to " +
132
+ "send more data than was available");
136
if ( sd.length <= 0 && sc.getOutboundRemaining()<=0) {
137
@@ -1758,6 +1765,7 @@
138
log.debug("Send file connection is being closed");
140
cancelledKey(sk,SocketStatus.STOP,false);
143
} else if ( attachment.interestOps() == 0 && reg ) {
144
if (log.isDebugEnabled()) {