tomcat/tomcat-9.0-CVE-2022-23181.patch

Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
===================================================================
--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java
+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java
@@ -349,13 +349,14 @@ public final class FileStore extends Sto
 
         String filename = id + FILE_EXT;
         File file = new File(storageDir, filename);
+        File canonicalFile = file.getCanonicalFile();
 
         // Check the file is within the storage directory
-        if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
+        if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {
             log.warn(sm.getString("fileStore.invalid", file.getPath(), id));
             return null;
         }
 
-        return file;
+        return canonicalFile;
     }
 }
Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
===================================================================
--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml
+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml
@@ -118,6 +118,10 @@
         Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK
         for Java. (markt)
       </scode>
+      <fix>
+        Make the calculation of the session storage location more robust when
+        using file based persistent storage. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">
- Fixed CVEs: * CVE-2022-23181: Make calculation of session storage location more robust (bsc#1195255) - Added patches: * tomcat-9.0-CVE-2022-23181.patch OBS-URL: https://build.opensuse.org/package/show/Java:packages/tomcat?expand=0&rev=232 2022-01-28 14:25:17 +00:00			`Index: apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java`
			`===================================================================`
			`--- apache-tomcat-9.0.43-src.orig/java/org/apache/catalina/session/FileStore.java`
			`+++ apache-tomcat-9.0.43-src/java/org/apache/catalina/session/FileStore.java`
			`@@ -349,13 +349,14 @@ public final class FileStore extends Sto`

			`String filename = id + FILE_EXT;`
			`File file = new File(storageDir, filename);`
			`+ File canonicalFile = file.getCanonicalFile();`

			`// Check the file is within the storage directory`
			`- if (!file.getCanonicalFile().toPath().startsWith(storageDir.getCanonicalFile().toPath())) {`
			`+ if (!canonicalFile.toPath().startsWith(storageDir.getCanonicalFile().toPath())) {`
			`log.warn(sm.getString("fileStore.invalid", file.getPath(), id));`
			`return null;`
			`}`

			`- return file;`
			`+ return canonicalFile;`
			`}`
			`}`
			`Index: apache-tomcat-9.0.43-src/webapps/docs/changelog.xml`
			`===================================================================`
			`--- apache-tomcat-9.0.43-src.orig/webapps/docs/changelog.xml`
			`+++ apache-tomcat-9.0.43-src/webapps/docs/changelog.xml`
			`@@ -118,6 +118,10 @@`
			`Expand coverage of unit tests for JNDIRealm using the UnboundID LDAP SDK`
			`for Java. (markt)`
			`</scode>`
			`+ <fix>`
			`+ Make the calculation of the session storage location more robust when`
			`+ using file based persistent storage. (markt)`
			`+ </fix>`
			`</changelog>`
			`</subsection>`
			`<subsection name="Coyote">`