Bug 65433

Summary: Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths
Product: Tomcat 9 Reporter: Cedomir Igaly <cedomir.igaly>
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Severity: normal CC: cedomir.igaly, kryadov
Priority: P2    
Version: 9.0.50   
Target Milestone: -----   
Hardware: PC   
OS: Linux   
Attachments: Patch to fix bug

Description Cedomir Igaly 2021-07-05 13:18:32 UTC
Created attachment 37944 [details]
Patch to fix bug

When entry is symbolic link outside of parent directory, it is possible that its cannonical path will be shorter than parent's cannonical path. In that case attempt to evaluate expression

canPath = entry.getCanonicalPath().substring(f.getCanonicalPath().length());

will end in throwing java.lang.StringIndexOutOfBoundsException.

Suggested solution is to compare lengths begore evaluation. 

It is possible that this problem is also present elsewhere.

Same problem will affect 10.0.x and 8.5.x branches as well.
Comment 1 Mark Thomas 2021-07-06 09:11:51 UTC
Thanks for the report and the patch.

Fixed in:
- 10.1.x for 10.1.0-M3 onwards
- 10.0.x for 10.0.9 onwards
- 9.0.x for 9.0.51 onwards
- 8.5.x for 8.5.70 onwards
Comment 2 Martin Knoblauch 2021-07-19 09:01:38 UTC
FWIW: I can confirm that the fix solves my observed problems as well
Comment 3 Christopher Schultz 2021-10-18 16:54:33 UTC
*** Bug 65637 has been marked as a duplicate of this bug. ***