angler-fishThe Vulnerability History Project

Various related (un)deploy improvements including:

      - better handling of failed (un)deployment
 - adding checking for valid zip file entries that don't make sense in a WAR file
 - improved validation of WAR file names
 - make sure error messages match the action
 - the return from File.getCanonicalPath() may or may not return a final separator for directories

This fixes CVE-2009-2693, CVE-2009-2901 & CVE-2009-2902

git-svn-id: https://svn.apache.org/repos/asf/tomcat/trunk@892795 13f79535-47bb-0310-9956-ffa450edef68
by Pauline the Wren 2009-12-21 12:25:14 UTC
commit 3e1010b1a2f648581fac3d68afbf18f2979f6bf6
Tomcat Fix Remote Arbitrary File Creation CVE-2009-2693
java/org/apache/catalina/loader/LocalStrings.properties
-2
java/org/apache/catalina/loader/WebappClassLoader.java
+1 -25
java/org/apache/catalina/startup/ContextConfig.java
+11 -17
java/org/apache/catalina/startup/ExpandWar.java
+15 -158
java/org/apache/catalina/startup/HostConfig.java
+3 -55
java/org/apache/catalina/startup/LocalStrings.properties
-3
expand_less