Bug 65433 - Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listWebAppPaths
Summary: Possible StringIndexOutOfBoundsException for symlinks in DirResourceSet.listW...
Status: RESOLVED FIXED
Alias: None
Product: Tomcat 9
Classification: Unclassified
Component: Catalina (show other bugs)
Version: 9.0.50
Hardware: PC Linux
: P2 normal (vote)
Target Milestone: -----
Assignee: Tomcat Developers Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-07-05 13:18 UTC by Cedomir Igaly
Modified: 2021-07-19 09:01 UTC (History)
1 user (show)



Attachments
Patch to fix bug (1.40 KB, patch)
2021-07-05 13:18 UTC, Cedomir Igaly
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Cedomir Igaly 2021-07-05 13:18:32 UTC
Created attachment 37944 [details]
Patch to fix bug

When entry is symbolic link outside of parent directory, it is possible that its cannonical path will be shorter than parent's cannonical path. In that case attempt to evaluate expression

canPath = entry.getCanonicalPath().substring(f.getCanonicalPath().length());

will end in throwing java.lang.StringIndexOutOfBoundsException.

Suggested solution is to compare lengths begore evaluation. 

It is possible that this problem is also present elsewhere.

Same problem will affect 10.0.x and 8.5.x branches as well.
Comment 1 Mark Thomas 2021-07-06 09:11:51 UTC
Thanks for the report and the patch.

Fixed in:
- 10.1.x for 10.1.0-M3 onwards
- 10.0.x for 10.0.9 onwards
- 9.0.x for 9.0.51 onwards
- 8.5.x for 8.5.70 onwards
Comment 2 Martin Knoblauch 2021-07-19 09:01:38 UTC
FWIW: I can confirm that the fix solves my observed problems as well