Bug 65433 - Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths
Summary: Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listW...
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.50
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
: 65637 (view as bug list)
Depends on:
Reported: 2021-07-05 13:18 UTC by Cedomir Igaly
Modified: 2021-10-18 16:54 UTC (History)
2 users (show)

Patch to fix bug (1.40 KB, patch)
2021-07-05 13:18 UTC, Cedomir Igaly
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cedomir Igaly 2021-07-05 13:18:32 UTC
Created attachment 37944 [details]
Patch to fix bug

When entry is symbolic link outside of parent directory, it is possible that its cannonical path will be shorter than parent's cannonical path. In that case attempt to evaluate expression

canPath = entry.getCanonicalPath().substring(f.getCanonicalPath().length());

will end in throwing java.lang.StringIndexOutOfBoundsException.

Suggested solution is to compare lengths begore evaluation. 

It is possible that this problem is also present elsewhere.

Same problem will affect 10.0.x and 8.5.x branches as well.
Comment 1 Mark Thomas 2021-07-06 09:11:51 UTC
Thanks for the report and the patch.

Fixed in:
- 10.1.x for 10.1.0-M3 onwards
- 10.0.x for 10.0.9 onwards
- 9.0.x for 9.0.51 onwards
- 8.5.x for 8.5.70 onwards
Comment 2 Martin Knoblauch 2021-07-19 09:01:38 UTC
FWIW: I can confirm that the fix solves my observed problems as well
Comment 3 Christopher Schultz 2021-10-18 16:54:33 UTC
*** Bug 65637 has been marked as a duplicate of this bug. ***