CVE-2017-12617

@@ -212,7 +212,8 @@ protected File file(String name, boolean mustExist) {
                     }
                 }
             }
-            if (name.startsWith(path + "/")) {
+            path += "/";
+            if (name.startsWith(path)) {
                 String res = name.substring(path.length());
                 for (String resourcesDir : dirList) {
                     file = new File(resourcesDir, res);

@@ -0,0 +1,102 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.io.File;
+
+import javax.naming.NamingException;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.startup.LoggingBaseTest;
+
+public class TestVirtualDirContext {
+
+    @Test
+    public void testBug62498() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f1 = vdc.file("");
+        Assert.assertNotNull(f1);
+        File f2 = vdc.file("/");
+        Assert.assertNotNull(f2);
+        Assert.assertEquals(f1.getAbsolutePath(), f2.getAbsolutePath());
+
+        Object obj1 = vdc.lookup("");
+        Assert.assertTrue(obj1 instanceof FileDirContext);
+        Object obj2 = vdc.lookup("/");
+        Assert.assertTrue(obj2 instanceof FileDirContext);
+        Assert.assertEquals(((FileDirContext) obj1).absoluteBase, ((FileDirContext) obj2).absoluteBase);
+    }
+
+
+    @Test
+    public void testBug62498a() {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f1 = vdc.file("");
+        Assert.assertNotNull(f1);
+    }
+
+
+    @Test
+    public void testBug62498b() {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        File f2 = vdc.file("/");
+        Assert.assertNotNull(f2);
+    }
+
+
+    @Test
+    public void testBug62498c() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        Object obj1 = vdc.lookup("");
+        Assert.assertTrue(obj1 instanceof FileDirContext);
+    }
+
+
+    @Test
+    public void testBug62498d() throws NamingException {
+        VirtualDirContext vdc = new VirtualDirContext();
+        // No docBase
+        vdc.setExtraResourcePaths("/=" + LoggingBaseTest.getBuildDirectory().getAbsolutePath());
+
+        vdc.allocate();
+
+        Object obj2 = vdc.lookup("/");
+        Assert.assertTrue(obj2 instanceof FileDirContext);
+    }
+}

@@ -58,6 +58,13 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 7.0.90 (violetagg)">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>62498</fix>: Correct a regression in the fix for CVE-2017-12617 that
+      caused request failures for some requests when using the
+      <code>VirtualDirContext</code>. (markt)
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 7.0.89 (violetagg)">
   <subsection name="Catalina">

@@ -804,6 +804,10 @@ protected File file(String name) {
      * @param mustExist Must the specified resource exist?
      */
     protected File file(String name, boolean mustExist) {
+        if (name.equals("/")) {
+            name = "";
+        }
+
         File file = new File(base, name);
         return validate(file, name, mustExist, absoluteBase, canonicalBase);
     }

@@ -810,7 +810,7 @@ protected File file(String name, boolean mustExist) {
 
 
     protected File validate(File file, String name, boolean mustExist, String absoluteBase,
-    		String canonicalBase) {
+            String canonicalBase) {
 
         // If the requested names ends in '/', the Java File API will return a
         // matching file if one exists. This isn't what we want as it is not

@@ -330,9 +330,9 @@ protected String doGetRealPath(String path) {
             return null;
         }
     }
-    
-    
+
+
     protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
-    	return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
+        return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
     }
 }

@@ -805,11 +805,12 @@ protected File file(String name) {
      */
     protected File file(String name, boolean mustExist) {
         File file = new File(base, name);
-        return validate(file, name, mustExist, absoluteBase);
+        return validate(file, name, mustExist, absoluteBase, canonicalBase);
     }
 
 
-    protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
+    protected File validate(File file, String name, boolean mustExist, String absoluteBase,
+    		String canonicalBase) {
 
         // If the requested names ends in '/', the Java File API will return a
         // matching file if one exists. This isn't what we want as it is not
@@ -850,8 +851,8 @@ protected File validate(File file, String name, boolean mustExist, String absolu
         // Ensure that the file is not outside the fileBase. This should not be
         // possible for standard requests (the request is normalized early in
         // the request processing) but might be possible for some access via the
-        // Servlet API (RequestDispatcheretc.) therefore these checks are
-        // retained as an additional safety measure absoluteBase has been
+        // Servlet API (RequestDispatcher etc.) therefore these checks are
+        // retained as an additional safety measure. absoluteBase has been
         // normalized so absPath needs to be normalized as well.
         String absPath = normalize(file.getAbsolutePath());
         if ((absoluteBase.length() > absPath.length())) {

@@ -330,4 +330,9 @@ protected String doGetRealPath(String path) {
             return null;
         }
     }
+    
+    
+    protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
+    	return validate(file, name, mustExist, normalize(absoluteBase), absoluteBase);
+    }
 }

@@ -14,8 +14,6 @@
  * See the License for the specific language governing permissions and
  * limitations under the License.
  */
-
-
 package org.apache.naming.resources;
 
 import java.io.File;
@@ -97,6 +95,8 @@ public FileDirContext(Hashtable<String,Object> env) {
      */
     protected String absoluteBase = null;
 
+    private String canonicalBase = null;
+
 
     /**
      * Allow linking.
@@ -106,7 +106,6 @@ public FileDirContext(Hashtable<String,Object> env) {
 
     // ------------------------------------------------------------- Properties
 
-
     /**
      * Set the document root.
      *
@@ -137,14 +136,14 @@ public void setDocBase(String docBase) {
             throw new IllegalArgumentException(sm.getString("fileResources.base", docBase));
         }
 
+        this.absoluteBase = normalize(base.getAbsolutePath());
+
         // absoluteBase also needs to be normalized. Using the canonical path is
         // the simplest way of doing this.
         try {
-            this.absoluteBase = base.getCanonicalPath();
+            this.canonicalBase = base.getCanonicalPath();
         } catch (IOException e) {
-            log.warn(sm.getString("fileResources.canonical.fail", base.getPath()));
-            // Fall back to the absolute path
-            this.absoluteBase = base.getAbsolutePath();
+            throw new IllegalArgumentException(e);
         }
         super.setDocBase(docBase);
     }
@@ -827,8 +826,15 @@ protected File validate(File file, String name, boolean mustExist, String absolu
 
         // If allow linking is enabled, files are not limited to being located
         // under the fileBase so all further checks are disabled.
-        if (allowLinking)
+        if (allowLinking) {
             return file;
+        }
+
+        // Additional Windows specific checks to handle known problems with
+        // File.getCanonicalPath()
+        if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
+            return null;
+        }
 
         // Check that this file is located under the web application root
         String canPath = null;
@@ -837,17 +843,16 @@ protected File validate(File file, String name, boolean mustExist, String absolu
         } catch (IOException e) {
             // Ignore
         }
-        if (canPath == null || !canPath.startsWith(absoluteBase)) {
+        if (canPath == null || !canPath.startsWith(canonicalBase)) {
             return null;
         }
 
         // Ensure that the file is not outside the fileBase. This should not be
         // possible for standard requests (the request is normalized early in
         // the request processing) but might be possible for some access via the
-        // Servlet API (RequestDispatcher, HTTP/2 push etc.) therefore these
-        // checks are retained as an additional safety measure
-        // absoluteBase has been normalized so absPath needs to be normalized as
-        // well.
+        // Servlet API (RequestDispatcheretc.) therefore these checks are
+        // retained as an additional safety measure absoluteBase has been
+        // normalized so absPath needs to be normalized as well.
         String absPath = normalize(file.getAbsolutePath());
         if ((absoluteBase.length() > absPath.length())) {
             return null;
@@ -857,7 +862,7 @@ protected File validate(File file, String name, boolean mustExist, String absolu
         // was not part of the requested path and the remaining check only
         // applies to the request path
         absPath = absPath.substring(absoluteBase.length());
-        canPath = canPath.substring(absoluteBase.length());
+        canPath = canPath.substring(canonicalBase.length());
 
         // Case sensitivity check
         // The normalized requested path should be an exact match the equivalent
@@ -870,9 +875,8 @@ protected File validate(File file, String name, boolean mustExist, String absolu
         //
         // absPath is normalized so canPath needs to be normalized as well
         // Can't normalize canPath earlier as canonicalBase is not normalized
-        canPath = normalize(canPath);
-        if (absPath.length() == 0) {
-            absPath = "/";
+        if (canPath.length() > 0) {
+            canPath = normalize(canPath);
         }
         if (!canPath.equals(absPath)) {
             return null;
@@ -882,6 +886,36 @@ protected File validate(File file, String name, boolean mustExist, String absolu
     }
 
 
+    private boolean isInvalidWindowsFilename(String name) {
+        final int len = name.length();
+        if (len == 0) {
+            return false;
+        }
+        // This consistently ~10 times faster than the equivalent regular
+        // expression irrespective of input length.
+        for (int i = 0; i < len; i++) {
+            char c = name.charAt(i);
+            if (c == '\"' || c == '<' || c == '>') {
+                // These characters are disallowed in Windows file names and
+                // there are known problems for file names with these characters
+                // when using File#getCanonicalPath().
+                // Note: There are additional characters that are disallowed in
+                //       Windows file names but these are not known to cause
+                //       problems when using File#getCanonicalPath().
+                return true;
+            }
+        }
+        // Windows does not allow file names to end in ' ' unless specific low
+        // level APIs are used to create the files that bypass various checks.
+        // File names that end in ' ' are known to cause problems when using
+        // File#getCanonicalPath().
+        if (name.charAt(len -1) == ' ') {
+            return true;
+        }
+        return false;
+    }
+
+
     /**
      * List the resources which are members of a collection.
      *

@@ -0,0 +1,59 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+public class JrePlatform {
+
+    private static final String OS_NAME_PROPERTY = "os.name";
+    private static final String OS_NAME_WINDOWS_PREFIX = "Windows";
+
+    static {
+        /*
+         * There are a few places where a) the behaviour of the Java API depends
+         * on the underlying platform and b) those behavioural differences have
+         * an impact on Tomcat.
+         *
+         * Tomcat therefore needs to be able to determine the platform it is
+         * running on to account for those differences.
+         *
+         * In an ideal world this code would not exist.
+         */
+
+        // This check is derived from the check in Apache Commons Lang
+        String osName;
+        if (System.getSecurityManager() == null) {
+            osName = System.getProperty(OS_NAME_PROPERTY);
+        } else {
+            osName = AccessController.doPrivileged(
+                    new PrivilegedAction<String>() {
+
+                    @Override
+                    public String run() {
+                        return System.getProperty(OS_NAME_PROPERTY);
+                    }
+                });
+        }
+
+        IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX);
+    }
+
+
+    public static final boolean IS_WINDOWS;
+}

@@ -136,14 +136,14 @@ protected final File file(String name, boolean mustExist) {
 
 
     private boolean isInvalidWindowsFilename(String name) {
-        if (name.length() == 0) {
+        final int len = name.length();
+        if (len == 0) {
             return false;
         }
-        // For typical length file names, this is 2-3 times faster than the
-        // equivalent regular expression. The cut-over point is file names (not
-        // full paths) of ~65 characters.
-        char[] chars = name.toCharArray();
-        for (char c : chars) {
+        // This consistently ~10 times faster than the equivalent regular
+        // expression irrespective of input length.
+        for (int i = 0; i < len; i++) {
+            char c = name.charAt(i);
             if (c == '\"' || c == '<' || c == '>') {
                 // These characters are disallowed in Windows file names and
                 // there are known problems for file names with these characters
@@ -154,11 +154,11 @@ private boolean isInvalidWindowsFilename(String name) {
                 return true;
             }
         }
-        // Windows does allow file names to end in ' ' unless specific low level
-        // APIs are used to create the files that bypass various checks. File
-        // names that end in ' ' are known to cause problems when using
+        // Windows does not allow file names to end in ' ' unless specific low
+        // level APIs are used to create the files that bypass various checks.
+        // File names that end in ' ' are known to cause problems when using
         // File#getCanonicalPath().
-        if (chars[chars.length -1] == ' ') {
+        if (name.charAt(len -1) == ' ') {
             return true;
         }
         return false;

@@ -27,7 +27,7 @@ public class TestAbstractFileResourceSetPerformance {
     private static final int LOOPS = 10_000_000;
 
     /*
-     * Checking individual characters is about 3 times faster on markt's dev
+     * Checking individual characters is about 10 times faster on markt's dev
      * PC for typical length file names. The file names need to get to ~65
      * characters before the Pattern matching is faster.
      */
@@ -36,22 +36,31 @@ public void testFileNameFiltering() {
 
         long start = System.nanoTime();
         for (int i = 0; i < LOOPS; i++) {
-            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").matches();
+            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").find();
         }
         long end = System.nanoTime();
         System.out.println("Regular expression took " + (end - start) + "ns or " +
                 (end-start)/LOOPS + "ns per iteration");
 
         start = System.nanoTime();
         for (int i = 0; i < LOOPS; i++) {
-            checkForBadChars("testfile.jsp ");
+            checkForBadCharsArray("testfile.jsp ");
         }
         end = System.nanoTime();
         System.out.println("char[] check took " + (end - start) + "ns or " +
                 (end-start)/LOOPS + "ns per iteration");
+
+        start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            checkForBadCharsAt("testfile.jsp ");
+        }
+        end = System.nanoTime();
+        System.out.println("charAt() check took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+
     }
 
-    private boolean checkForBadChars(String filename) {
+    private boolean checkForBadCharsArray(String filename) {
         char[] chars = filename.toCharArray();
         for (char c : chars) {
             if (c == '\"' || c == '<' || c == '>') {
@@ -63,4 +72,19 @@ private boolean checkForBadChars(String filename) {
         }
         return true;
     }
+
+
+    private boolean checkForBadCharsAt(String filename) {
+        final int len = filename.length();
+        for (int i = 0; i < len; i++) {
+            char c = filename.charAt(i);
+            if (c == '\"' || c == '<' || c == '>') {
+                return false;
+            }
+        }
+        if (filename.charAt(len - 1) == ' ') {
+            return false;
+        }
+        return true;
+    }
 }

@@ -136,12 +136,12 @@ protected final File file(String name, boolean mustExist) {
 
 
     private boolean isInvalidWindowsFilename(String name) {
-        if (name.length() == 0) {
+        final int len = name.length();
+        if (len == 0) {
             return false;
         }
         // This consistently ~10 times faster than the equivalent regular
         // expression irrespective of input length.
-        final int len = name.length();
         for (int i = 0; i < len; i++) {
             char c = name.charAt(i);
             if (c == '\"' || c == '<' || c == '>') {

@@ -139,11 +139,11 @@ private boolean isInvalidWindowsFilename(String name) {
         if (name.length() == 0) {
             return false;
         }
-        // For typical length file names, this is 2-3 times faster than the
-        // equivalent regular expression. The cut-over point is file names (not
-        // full paths) of ~65 characters.
-        char[] chars = name.toCharArray();
-        for (char c : chars) {
+        // This consistently ~10 times faster than the equivalent regular
+        // expression irrespective of input length.
+        final int len = name.length();
+        for (int i = 0; i < len; i++) {
+            char c = name.charAt(i);
             if (c == '\"' || c == '<' || c == '>') {
                 // These characters are disallowed in Windows file names and
                 // there are known problems for file names with these characters
@@ -154,11 +154,11 @@ private boolean isInvalidWindowsFilename(String name) {
                 return true;
             }
         }
-        // Windows does allow file names to end in ' ' unless specific low level
-        // APIs are used to create the files that bypass various checks. File
-        // names that end in ' ' are known to cause problems when using
+        // Windows does not allow file names to end in ' ' unless specific low
+        // level APIs are used to create the files that bypass various checks.
+        // File names that end in ' ' are known to cause problems when using
         // File#getCanonicalPath().
-        if (chars[chars.length -1] == ' ') {
+        if (name.charAt(len -1) == ' ') {
             return true;
         }
         return false;

@@ -27,7 +27,7 @@ public class TestAbstractFileResourceSetPerformance {
     private static final int LOOPS = 10_000_000;
 
     /*
-     * Checking individual characters is about 3 times faster on markt's dev
+     * Checking individual characters is about 10 times faster on markt's dev
      * PC for typical length file names. The file names need to get to ~65
      * characters before the Pattern matching is faster.
      */
@@ -36,22 +36,31 @@ public void testFileNameFiltering() {
 
         long start = System.nanoTime();
         for (int i = 0; i < LOOPS; i++) {
-            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").matches();
+            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").find();
         }
         long end = System.nanoTime();
         System.out.println("Regular expression took " + (end - start) + "ns or " +
                 (end-start)/LOOPS + "ns per iteration");
 
         start = System.nanoTime();
         for (int i = 0; i < LOOPS; i++) {
-            checkForBadChars("testfile.jsp ");
+            checkForBadCharsArray("testfile.jsp ");
         }
         end = System.nanoTime();
         System.out.println("char[] check took " + (end - start) + "ns or " +
                 (end-start)/LOOPS + "ns per iteration");
+
+        start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            checkForBadCharsAt("testfile.jsp ");
+        }
+        end = System.nanoTime();
+        System.out.println("charAt() check took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+
     }
 
-    private boolean checkForBadChars(String filename) {
+    private boolean checkForBadCharsArray(String filename) {
         char[] chars = filename.toCharArray();
         for (char c : chars) {
             if (c == '\"' || c == '<' || c == '>') {
@@ -63,4 +72,19 @@ private boolean checkForBadChars(String filename) {
         }
         return true;
     }
+
+
+    private boolean checkForBadCharsAt(String filename) {
+        final int len = filename.length();
+        for (int i = 0; i < len; i++) {
+            char c = filename.charAt(i);
+            if (c == '\"' || c == '<' || c == '>') {
+                return false;
+            }
+        }
+        if (filename.charAt(len - 1) == ' ') {
+            return false;
+        }
+        return true;
+    }
 }

@@ -136,6 +136,9 @@ protected final File file(String name, boolean mustExist) {
 
 
     private boolean isInvalidWindowsFilename(String name) {
+        if (name.length() == 0) {
+            return false;
+        }
         // For typical length file names, this is 2-3 times faster than the
         // equivalent regular expression. The cut-over point is file names (not
         // full paths) of ~65 characters.

@@ -136,6 +136,9 @@ protected final File file(String name, boolean mustExist) {
 
 
     private boolean isInvalidWindowsFilename(String name) {
+        if (name.length() == 0) {
+            return false;
+        }
         // For typical length file names, this is 2-3 times faster than the
         // equivalent regular expression. The cut-over point is file names (not
         // full paths) of ~65 characters.

@@ -22,6 +22,7 @@
 import java.net.URL;
 
 import org.apache.catalina.LifecycleException;
+import org.apache.tomcat.util.compat.JrePlatform;
 import org.apache.tomcat.util.http.RequestUtil;
 
 public abstract class AbstractFileResourceSet extends AbstractResourceSet {
@@ -77,6 +78,12 @@ protected final File file(String name, boolean mustExist) {
             return file;
         }
 
+        // Additional Windows specific checks to handle known problems with
+        // File.getCanonicalPath()
+        if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
+            return null;
+        }
+
         // Check that this file is located under the WebResourceSet's base
         String canPath = null;
         try {
@@ -127,6 +134,34 @@ protected final File file(String name, boolean mustExist) {
         return file;
     }
 
+
+    private boolean isInvalidWindowsFilename(String name) {
+        // For typical length file names, this is 2-3 times faster than the
+        // equivalent regular expression. The cut-over point is file names (not
+        // full paths) of ~65 characters.
+        char[] chars = name.toCharArray();
+        for (char c : chars) {
+            if (c == '\"' || c == '<' || c == '>') {
+                // These characters are disallowed in Windows file names and
+                // there are known problems for file names with these characters
+                // when using File#getCanonicalPath().
+                // Note: There are additional characters that are disallowed in
+                //       Windows file names but these are not known to cause
+                //       problems when using File#getCanonicalPath().
+                return true;
+            }
+        }
+        // Windows does allow file names to end in ' ' unless specific low level
+        // APIs are used to create the files that bypass various checks. File
+        // names that end in ' ' are known to cause problems when using
+        // File#getCanonicalPath().
+        if (chars[chars.length -1] == ' ') {
+            return true;
+        }
+        return false;
+    }
+
+
     /**
      * Return a context-relative path, beginning with a "/", that represents
      * the canonical version of the specified path after ".." and "." elements

@@ -0,0 +1,59 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+public class JrePlatform {
+
+    private static final String OS_NAME_PROPERTY = "os.name";
+    private static final String OS_NAME_WINDOWS_PREFIX = "Windows";
+
+    static {
+        /*
+         * There are a few places where a) the behaviour of the Java API depends
+         * on the underlying platform and b) those behavioural differences have
+         * an impact on Tomcat.
+         *
+         * Tomcat therefore needs to be able to determine the platform it is
+         * running on to account for those differences.
+         *
+         * In an ideal world this code would not exist.
+         */
+
+        // This check is derived from the check in Apache Commons Lang
+        String osName;
+        if (System.getSecurityManager() == null) {
+            osName = System.getProperty(OS_NAME_PROPERTY);
+        } else {
+            osName = AccessController.doPrivileged(
+                    new PrivilegedAction<String>() {
+
+                    @Override
+                    public String run() {
+                        return System.getProperty(OS_NAME_PROPERTY);
+                    }
+                });
+        }
+
+        IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX);
+    }
+
+
+    public static final boolean IS_WINDOWS;
+}

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.util.regex.Pattern;
+
+import org.junit.Test;
+
+public class TestAbstractFileResourceSetPerformance {
+
+    private static final Pattern UNSAFE_WINDOWS_FILENAME_PATTERN = Pattern.compile(" $|[\"<>]");
+
+    private static final int LOOPS = 10_000_000;
+
+    /*
+     * Checking individual characters is about 3 times faster on markt's dev
+     * PC for typical length file names. The file names need to get to ~65
+     * characters before the Pattern matching is faster.
+     */
+    @Test
+    public void testFileNameFiltering() {
+
+        long start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").matches();
+        }
+        long end = System.nanoTime();
+        System.out.println("Regular expression took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+
+        start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            checkForBadChars("testfile.jsp ");
+        }
+        end = System.nanoTime();
+        System.out.println("char[] check took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+    }
+
+    private boolean checkForBadChars(String filename) {
+        char[] chars = filename.toCharArray();
+        for (char c : chars) {
+            if (c == '\"' || c == '<' || c == '>') {
+                return false;
+            }
+        }
+        if (chars[chars.length -1] == ' ') {
+            return false;
+        }
+        return true;
+    }
+}

@@ -45,6 +45,16 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 8.5.23 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        Add additional validation to the resource handling required to fix
+        CVE-2017-12617 on Windows. The checks were being performed elsewhere but
+        adding them to the resource handling ensures that the checks are always
+        performed. (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Other">
     <changelog>
       <fix>

@@ -22,6 +22,7 @@
 import java.net.URL;
 
 import org.apache.catalina.LifecycleException;
+import org.apache.tomcat.util.compat.JrePlatform;
 import org.apache.tomcat.util.http.RequestUtil;
 
 public abstract class AbstractFileResourceSet extends AbstractResourceSet {
@@ -77,6 +78,12 @@ protected final File file(String name, boolean mustExist) {
             return file;
         }
 
+        // Additional Windows specific checks to handle known problems with
+        // File.getCanonicalPath()
+        if (JrePlatform.IS_WINDOWS && isInvalidWindowsFilename(name)) {
+            return null;
+        }
+
         // Check that this file is located under the WebResourceSet's base
         String canPath = null;
         try {
@@ -127,6 +134,34 @@ protected final File file(String name, boolean mustExist) {
         return file;
     }
 
+
+    private boolean isInvalidWindowsFilename(String name) {
+        // For typical length file names, this is 2-3 times faster than the
+        // equivalent regular expression. The cut-over point is file names (not
+        // full paths) of ~65 characters.
+        char[] chars = name.toCharArray();
+        for (char c : chars) {
+            if (c == '\"' || c == '<' || c == '>') {
+                // These characters are disallowed in Windows file names and
+                // there are known problems for file names with these characters
+                // when using File#getCanonicalPath().
+                // Note: There are additional characters that are disallowed in
+                //       Windows file names but these are not known to cause
+                //       problems when using File#getCanonicalPath().
+                return true;
+            }
+        }
+        // Windows does allow file names to end in ' ' unless specific low level
+        // APIs are used to create the files that bypass various checks. File
+        // names that end in ' ' are known to cause problems when using
+        // File#getCanonicalPath().
+        if (chars[chars.length -1] == ' ') {
+            return true;
+        }
+        return false;
+    }
+
+
     /**
      * Return a context-relative path, beginning with a "/", that represents
      * the canonical version of the specified path after ".." and "." elements

@@ -0,0 +1,59 @@
+/*
+ *  Licensed to the Apache Software Foundation (ASF) under one or more
+ *  contributor license agreements.  See the NOTICE file distributed with
+ *  this work for additional information regarding copyright ownership.
+ *  The ASF licenses this file to You under the Apache License, Version 2.0
+ *  (the "License"); you may not use this file except in compliance with
+ *  the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS,
+ *  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+package org.apache.tomcat.util.compat;
+
+import java.security.AccessController;
+import java.security.PrivilegedAction;
+
+public class JrePlatform {
+
+    private static final String OS_NAME_PROPERTY = "os.name";
+    private static final String OS_NAME_WINDOWS_PREFIX = "Windows";
+
+    static {
+        /*
+         * There are a few places where a) the behaviour of the Java API depends
+         * on the underlying platform and b) those behavioural differences have
+         * an impact on Tomcat.
+         *
+         * Tomcat therefore needs to be able to determine the platform it is
+         * running on to account for those differences.
+         *
+         * In an ideal world this code would not exist.
+         */
+
+        // This check is derived from the check in Apache Commons Lang
+        String osName;
+        if (System.getSecurityManager() == null) {
+            osName = System.getProperty(OS_NAME_PROPERTY);
+        } else {
+            osName = AccessController.doPrivileged(
+                    new PrivilegedAction<String>() {
+
+                    @Override
+                    public String run() {
+                        return System.getProperty(OS_NAME_PROPERTY);
+                    }
+                });
+        }
+
+        IS_WINDOWS = osName.startsWith(OS_NAME_WINDOWS_PREFIX);
+    }
+
+
+    public static final boolean IS_WINDOWS;
+}

@@ -0,0 +1,66 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.catalina.webresources;
+
+import java.util.regex.Pattern;
+
+import org.junit.Test;
+
+public class TestAbstractFileResourceSetPerformance {
+
+    private static final Pattern UNSAFE_WINDOWS_FILENAME_PATTERN = Pattern.compile(" $|[\"<>]");
+
+    private static final int LOOPS = 10_000_000;
+
+    /*
+     * Checking individual characters is about 3 times faster on markt's dev
+     * PC for typical length file names. The file names need to get to ~65
+     * characters before the Pattern matching is faster.
+     */
+    @Test
+    public void testFileNameFiltering() {
+
+        long start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            UNSAFE_WINDOWS_FILENAME_PATTERN.matcher("testfile.jsp ").matches();
+        }
+        long end = System.nanoTime();
+        System.out.println("Regular expression took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+
+        start = System.nanoTime();
+        for (int i = 0; i < LOOPS; i++) {
+            checkForBadChars("testfile.jsp ");
+        }
+        end = System.nanoTime();
+        System.out.println("char[] check took " + (end - start) + "ns or " +
+                (end-start)/LOOPS + "ns per iteration");
+    }
+
+    private boolean checkForBadChars(String filename) {
+        char[] chars = filename.toCharArray();
+        for (char c : chars) {
+            if (c == '\"' || c == '<' || c == '>') {
+                return false;
+            }
+        }
+        if (chars[chars.length -1] == ' ') {
+            return false;
+        }
+        return true;
+    }
+}

@@ -476,11 +476,16 @@ public void modifyAttributes(String name, ModificationItem[] mods)
      * @exception NamingException if a naming exception is encountered
      */
     @Override
-    public void bind(String name, Object obj, Attributes attrs)
-        throws NamingException {
+    public void bind(String name, Object obj, Attributes attrs) throws NamingException {
 
         // Note: No custom attributes allowed
 
+        // bind() is meant to create a file so ensure that the path doesn't end
+        // in '/'
+        if (name.endsWith("/")) {
+            throw new NamingException(sm.getString("resources.bindFailed", name));
+        }
+
         File file = file(name, false);
         if (file == null) {
             throw new NamingException(sm.getString("resources.bindFailed", name));

@@ -90,6 +90,11 @@
         <code>DirContext</code> that represented the web application in a
         <code>ProxyDirContext</code> twice rather than just once. (markt)
       </fix>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -860,23 +860,6 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        // If the resource is not a collection, and the resource path
-        // ends with "/" or "\", return NOT FOUND
-        if (cacheEntry.context == null) {
-            if (path.endsWith("/") || (path.endsWith("\\"))) {
-                // Check if we're included so we can return the appropriate
-                // missing resource name in the error
-                String requestUri = (String) request.getAttribute(
-                        RequestDispatcher.INCLUDE_REQUEST_URI);
-                if (requestUri == null) {
-                    requestUri = request.getRequestURI();
-                }
-                response.sendError(HttpServletResponse.SC_NOT_FOUND,
-                                   requestUri);
-                return;
-            }
-        }
-
         // Check if the conditions specified in the optional If headers are
         // satisfied.
         if (cacheEntry.context == null) {

@@ -801,11 +801,18 @@ protected File file(String name) {
      */
     protected File file(String name, boolean mustExist) {
         File file = new File(base, name);
-        return validate(file, mustExist, absoluteBase);
+        return validate(file, name, mustExist, absoluteBase);
     }
 
 
-    protected File validate(File file, boolean mustExist, String absoluteBase) {
+    protected File validate(File file, String name, boolean mustExist, String absoluteBase) {
+
+        // If the requested names ends in '/', the Java File API will return a
+        // matching file if one exists. This isn't what we want as it is not
+        // consistent with the Servlet spec rules for request mapping.
+        if (file.isFile() && name.endsWith("/")) {
+            return null;
+        }
 
         if (!mustExist || file.exists() && file.canRead()) {
 

@@ -163,16 +163,16 @@ public Attributes getAttributes(String name) throws NamingException {
                 String resourcesDir = dirList.get(0);
                 if (name.equals(path)) {
                     File f = new File(resourcesDir);
-                    f = validate(f, true, resourcesDir);
+                    f = validate(f, name, true, resourcesDir);
                     if (f != null) {
                         return new FileResourceAttributes(f);
                     }
                 }
                 path += "/";
                 if (name.startsWith(path)) {
                     String res = name.substring(path.length());
-                    File f = new File(resourcesDir + "/" + res);
-                    f = validate(f, true, resourcesDir);
+                    File f = new File(resourcesDir, res);
+                    f = validate(f, res, true, resourcesDir);
                     if (f != null) {
                         return new FileResourceAttributes(f);
                     }
@@ -206,7 +206,7 @@ protected File file(String name, boolean mustExist) {
             if (name.equals(path)) {
                 for (String resourcesDir : dirList) {
                     file = new File(resourcesDir);
-                    file = validate(file, true, resourcesDir);
+                    file = validate(file, name, true, resourcesDir);
                     if (file != null) {
                         return file;
                     }
@@ -216,7 +216,7 @@ protected File file(String name, boolean mustExist) {
                 String res = name.substring(path.length());
                 for (String resourcesDir : dirList) {
                     file = new File(resourcesDir, res);
-                    file = validate(file, true, resourcesDir);
+                    file = validate(file, res, true, resourcesDir);
                     if (file != null) {
                         return file;
                     }
@@ -252,7 +252,7 @@ protected List<NamingEntry> list(File file) {
                     if (res != null) {
                         for (String resourcesDir : dirList) {
                             File f = new File(resourcesDir, res);
-                            f = validate(f, true, resourcesDir);
+                            f = validate(f, res, true, resourcesDir);
                             if (f != null && f.isDirectory()) {
                                 List<NamingEntry> virtEntries = super.list(f);
                                 for (NamingEntry entry : virtEntries) {
@@ -288,7 +288,7 @@ protected Object doLookup(String name) {
             if (name.equals(path)) {
                 for (String resourcesDir : dirList) {
                     File f = new File(resourcesDir);
-                    f = validate(f, true, resourcesDir);
+                    f = validate(f, name, true, resourcesDir);
                     if (f != null) {
                         if (f.isFile()) {
                             return new FileResource(f);
@@ -304,8 +304,8 @@ protected Object doLookup(String name) {
             if (name.startsWith(path)) {
                 String res = name.substring(path.length());
                 for (String resourcesDir : dirList) {
-                    File f = new File(resourcesDir + "/" + res);
-                    f = validate(f, true, resourcesDir);
+                    File f = new File(resourcesDir, res);
+                    f = validate(f, res, true, resourcesDir);
                     if (f != null) {
                         if (f.isFile()) {
                             return new FileResource(f);

@@ -0,0 +1,46 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *      http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package org.apache.naming.resources;
+
+import java.io.File;
+
+import javax.servlet.http.HttpServletResponse;
+
+import org.junit.Assert;
+import org.junit.Test;
+
+import org.apache.catalina.startup.Tomcat;
+import org.apache.catalina.startup.TomcatBaseTest;
+import org.apache.tomcat.util.buf.ByteChunk;
+
+public class TestFileDirContext extends TomcatBaseTest {
+
+    @Test
+    public void testLookupResourceWithTrailingSlash() throws Exception {
+        Tomcat tomcat = getTomcatInstance();
+
+        File appDir = new File("test/webapp-3.0");
+        // app dir is relative to server home
+        tomcat.addWebapp(null, "/test", appDir.getAbsolutePath());
+
+        tomcat.start();
+
+        int sc = getUrl("http://localhost:" + getPort() +
+                "/test/index.html/", new ByteChunk(), null);
+        Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, sc);
+    }
+}

@@ -217,6 +217,12 @@ public boolean write(String path, InputStream is, boolean overwrite) {
             return false;
         }
 
+        // write() is meant to create a file so ensure that the path doesn't
+        // end in '/'
+        if (path.endsWith("/")) {
+            return false;
+        }
+
         File dest = null;
         String webAppMount = getWebAppMount();
         if (path.startsWith(webAppMount)) {

@@ -447,14 +447,8 @@ public final void testWriteDirA() {
     public final void testWriteDirB() {
         WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
         InputStream is = new ByteArrayInputStream("test".getBytes());
-        if (d1.exists()) {
+        if (d1.exists() || d1.isVirtual()) {
             Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false));
-        } else if (d1.isVirtual()) {
-            Assert.assertTrue(resourceRoot.write(
-                    getMount() + "/d1/", is, false));
-            File file = new File(getBaseDir(), "d1");
-            Assert.assertTrue(file.exists());
-            Assert.assertTrue(file.delete());
         } else {
             Assert.fail("Unhandled condition in unit test");
         }
@@ -490,6 +484,14 @@ public final void testWrite() {
         }
     }
 
+    @Test
+    public final void testWriteWithTrailingSlash() {
+        String newFileName = getNewFileName() + "/";
+        InputStream is = new ByteArrayInputStream("test".getBytes());
+        Assert.assertFalse(resourceRoot.write(
+                getMount() + "/" + newFileName, is, false));
+    }
+
     protected abstract String getNewFileName();
 
     // ------------------------------------------------------ getCanonicalPath()

@@ -57,6 +57,11 @@
         Add an option to reject requests that contain HTTP headers with invalid
         (non-token) header names with a 400 response. (markt)
       </add>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Coyote">

@@ -804,20 +804,6 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        // If the resource is not a collection, and the resource path
-        // ends with "/" or "\", return NOT FOUND
-        if (resource.isFile() && (path.endsWith("/") || path.endsWith("\\"))) {
-            // Check if we're included so we can return the appropriate
-            // missing resource name in the error
-            String requestUri = (String) request.getAttribute(
-                    RequestDispatcher.INCLUDE_REQUEST_URI);
-            if (requestUri == null) {
-                requestUri = request.getRequestURI();
-            }
-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestUri);
-            return;
-        }
-
         boolean included = false;
         // Check if the conditions specified in the optional If headers are
         // satisfied.

@@ -57,6 +57,14 @@ protected final File file(String name, boolean mustExist) {
             name = "";
         }
         File file = new File(fileBase, name);
+
+        // If the requested names ends in '/', the Java File API will return a
+        // matching file if one exists. This isn't what we want as it is not
+        // consistent with the Servlet spec rules for request mapping.
+        if (file.isFile() && name.endsWith("/")) {
+            return null;
+        }
+
         if (!mustExist || file.canRead()) {
 
             if (getRoot().getAllowLinking()) {

@@ -131,6 +131,13 @@ public final void testGetResourceFile() {
         Assert.assertNotNull(webResource.getInputStream());
     }
 
+    @Test
+    public final void testGetResourceFileWithTrailingSlash() {
+        WebResource webResource =
+                resourceRoot.getResource(getMount() + "/d1/d1-f1.txt/");
+        Assert.assertFalse(webResource.exists());
+    }
+
     @Test
     public final void testGetResourceCaseSensitive() {
         WebResource webResource =

@@ -217,6 +217,12 @@ public boolean write(String path, InputStream is, boolean overwrite) {
             return false;
         }
 
+        // write() is meant to create a file so ensure that the path doesn't
+        // end in '/'
+        if (path.endsWith("/")) {
+            return false;
+        }
+
         File dest = null;
         String webAppMount = getWebAppMount();
         if (path.startsWith(webAppMount)) {

@@ -447,14 +447,8 @@ public final void testWriteDirA() {
     public final void testWriteDirB() {
         WebResource d1 = resourceRoot.getResource(getMount() + "/d1/");
         InputStream is = new ByteArrayInputStream("test".getBytes());
-        if (d1.exists()) {
+        if (d1.exists() || d1.isVirtual()) {
             Assert.assertFalse(resourceRoot.write(getMount() + "/d1/", is, false));
-        } else if (d1.isVirtual()) {
-            Assert.assertTrue(resourceRoot.write(
-                    getMount() + "/d1/", is, false));
-            File file = new File(getBaseDir(), "d1");
-            Assert.assertTrue(file.exists());
-            Assert.assertTrue(file.delete());
         } else {
             Assert.fail("Unhandled condition in unit test");
         }
@@ -490,6 +484,14 @@ public final void testWrite() {
         }
     }
 
+    @Test
+    public final void testWriteWithTrailingSlash() {
+        String newFileName = getNewFileName() + "/";
+        InputStream is = new ByteArrayInputStream("test".getBytes());
+        Assert.assertFalse(resourceRoot.write(
+                getMount() + "/" + newFileName, is, false));
+    }
+
     protected abstract String getNewFileName();
 
     // ------------------------------------------------------ getCanonicalPath()

@@ -45,6 +45,15 @@
   issues do not "pop up" wrt. others).
 -->
 <section name="Tomcat 9.0.0.M28 (markt)" rtext="in development">
+  <subsection name="Catalina">
+    <changelog>
+      <fix>
+        <bug>61542</bug>: Fix CVE-2017-12617 and prevent JSPs from being
+        uploaded via a specially crafted request when HTTP PUT was enabled.
+        (markt)
+      </fix>
+    </changelog>
+  </subsection>
   <subsection name="Coyote">
     <changelog>
       <add>

@@ -820,20 +820,6 @@ protected void serveResource(HttpServletRequest request,
             return;
         }
 
-        // If the resource is not a collection, and the resource path
-        // ends with "/" or "\", return NOT FOUND
-        if (resource.isFile() && (path.endsWith("/") || path.endsWith("\\"))) {
-            // Check if we're included so we can return the appropriate
-            // missing resource name in the error
-            String requestUri = (String) request.getAttribute(
-                    RequestDispatcher.INCLUDE_REQUEST_URI);
-            if (requestUri == null) {
-                requestUri = request.getRequestURI();
-            }
-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestUri);
-            return;
-        }
-
         boolean included = false;
         // Check if the conditions specified in the optional If headers are
         // satisfied.

@@ -57,6 +57,14 @@ protected final File file(String name, boolean mustExist) {
             name = "";
         }
         File file = new File(fileBase, name);
+
+        // If the requested names ends in '/', the Java File API will return a
+        // matching file if one exists. This isn't what we want as it is not
+        // consistent with the Servlet spec rules for request mapping.
+        if (file.isFile() && name.endsWith("/")) {
+            return null;
+        }
+
         if (!mustExist || file.canRead()) {
 
             if (getRoot().getAllowLinking()) {

@@ -131,6 +131,13 @@ public final void testGetResourceFile() {
         Assert.assertNotNull(webResource.getInputStream());
     }
 
+    @Test
+    public final void testGetResourceFileWithTrailingSlash() {
+        WebResource webResource =
+                resourceRoot.getResource(getMount() + "/d1/d1-f1.txt/");
+        Assert.assertFalse(webResource.exists());
+    }
+
     @Test
     public final void testGetResourceCaseSensitive() {
         WebResource webResource =