Bug 65433 - Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths
Summary: Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listW...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.50
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
: 65637 (view as bug list)
Depends on:
Blocks:
 
Reported: 2021-07-05 13:18 UTC by Cedomir Igaly
Modified: 2021-10-18 16:54 UTC (History)
2 users (show)


Attachments
Patch to fix bug (1.40 KB, patch)
2021-07-05 13:18 UTC, Cedomir Igaly 		Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Cedomir Igaly 2021-07-05 13:18:32 UTC 
Created attachment 37944 [details]
Patch to fix bug

When entry is symbolic link outside of parent directory, it is possible that its cannonical path will be shorter than parent's cannonical path. In that case attempt to evaluate expression

canPath = entry.getCanonicalPath().substring(f.getCanonicalPath().length());

will end in throwing java.lang.StringIndexOutOfBoundsException.

Suggested solution is to compare lengths begore evaluation. 

It is possible that this problem is also present elsewhere.

Same problem will affect 10.0.x and 8.5.x branches as well.
Comment 1 Mark Thomas 2021-07-06 09:11:51 UTC 
Thanks for the report and the patch.

Fixed in:
- 10.1.x for 10.1.0-M3 onwards
- 10.0.x for 10.0.9 onwards
- 9.0.x for 9.0.51 onwards
- 8.5.x for 8.5.70 onwards
Comment 2 Martin Knoblauch 2021-07-19 09:01:38 UTC 
FWIW: I can confirm that the fix solves my observed problems as well
Comment 3 Christopher Schultz 2021-10-18 16:54:33 UTC 
*** Bug 65637 has been marked as a duplicate of this bug. ***