Improve validation of storage location when using FileStore.

apache · May 5, 2020 · bb33048 · bb33048
1 parent 563f85a
commit bb33048
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 2 deletions.
diff --git a/java/org/apache/catalina/session/FileStore.java b/java/org/apache/catalina/session/FileStore.java
@@ -33,6 +33,8 @@
 import org.apache.catalina.Globals;
 import org.apache.catalina.Session;
 import org.apache.juli.logging.Log;
+import org.apache.juli.logging.LogFactory;
+import org.apache.tomcat.util.res.StringManager;
 
 /**
  * Concrete implementation of the <b>Store</b> interface that utilizes
@@ -43,6 +45,10 @@
  */
 public final class FileStore extends StoreBase {
 
+ private static final Log log = LogFactory.getLog(FileStore.class);
+ private static final StringManager sm = StringManager.getManager(FileStore.class);
+
+
  // ----------------------------------------------------- Constants
 
  /**
@@ -336,11 +342,20 @@ private File directory() throws IOException {
  * used in the file naming.
  */
  private File file(String id) throws IOException {
- if (this.directory == null) {
+ File storageDir = directory();
+ if (storageDir == null) {
  return null;
  }
+
  String filename = id + FILE_EXT;
- File file = new File(directory(), filename);
+ File file = new File(storageDir, filename);
+
+ // Check the file is within the storage directory
+ if (!file.getCanonicalPath().startsWith(storageDir.getCanonicalPath())) {
+ log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
+ return null;
+ }
+
  return file;
  }
 }
diff --git a/java/org/apache/catalina/session/LocalStrings.properties b/java/org/apache/catalina/session/LocalStrings.properties
@@ -29,6 +29,7 @@ JDBCStore.wrongDataSource=Cannot open JNDI DataSource [{0}]
 fileStore.createFailed=Unable to create directory [{0}] for the storage of session data
 fileStore.deleteFailed=Unable to delete file [{0}] which is preventing the creation of the session storage location
 fileStore.deleteSessionFailed=Unable to delete file [{0}] which is no longer required
+fileStore.invalid=Invalid persistence file [{0}] for session ID [{1}]
 fileStore.loading=Loading Session [{0}] from file [{1}]
 fileStore.removing=Removing Session [{0}] at file [{1}]
 fileStore.saving=Saving Session [{0}] to file [{1}]

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
@@ -114,6 +114,9 @@
  replacement to <code>:-</code> due to possible conflicts. The
  syntax is now <code>${name:-default}</code>. (remm)
  </fix>
+ <add>
+ Improve validation of storage location when using FileStore. (markt)
+ </add>
  </changelog>
  </subsection>
  <subsection name="Coyote">