[pkg-java] r16134 - in branches/libspring-2.5-java/squeeze/debian: . patches

Sat Jun 16 23:41:26 UTC 2012

Author: drazzib
Date: 2012-06-16 23:41:26 +0000 (Sat, 16 Jun 2012)
New Revision: 16134

Added:
   branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
Modified:
   branches/libspring-2.5-java/squeeze/debian/changelog
   branches/libspring-2.5-java/squeeze/debian/patches/series
Log:
* Backport fix for CVE-2011-2730: Spring Framework information disclosure
  from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814):
  - d/patches/CVE-2011-2730.diff: A new context parameter has been added
    called springJspExpressionSupport. When true (the default) the existing
    behaviour of evaluating EL within the tag will be performed. When running
    in an environment where EL support is provided by the container, it is
    strongly recommended that this is set to false

Modified: branches/libspring-2.5-java/squeeze/debian/changelog
===================================================================

--- branches/libspring-2.5-java/squeeze/debian/changelog	2012-06-16 22:07:17 UTC (rev 16133)
+++ branches/libspring-2.5-java/squeeze/debian/changelog	2012-06-16 23:41:26 UTC (rev 16134)
@@ -1,3 +1,15 @@
+libspring-2.5-java (2.5.6.SEC02-2+squeeze1) stable-security; urgency=high
+
+  * Backport fix for CVE-2011-2730: Spring Framework information disclosure
+    from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814):
+    - d/patches/CVE-2011-2730.diff: A new context parameter has been added
+      called springJspExpressionSupport. When true (the default) the existing
+      behaviour of evaluating EL within the tag will be performed. When running
+      in an environment where EL support is provided by the container, it is
+      strongly recommended that this is set to false
+
+ -- Damien Raude-Morvan <drazzib at debian.org>  Sun, 17 Jun 2012 00:13:30 +0200
+
 libspring-2.5-java (2.5.6.SEC02-2) unstable; urgency=low
 
   [ Miguel Landaeta ]

Added: branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
===================================================================
--- branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff	                        (rev 0)
+++ branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff	2012-06-16 23:41:26 UTC (rev 16134)
@@ -0,0 +1,130 @@
+Description: Fix CVE-2011-2730 in libspring-2.5-java.
+ <URL: http://www.securityfocus.com/archive/1/519586/30/0/threaded>
+ A new context parameter has been added called springJspExpressionSupport.
+ When true (the default) the existing behaviour of evaluating EL within the tag
+ will be performed. When running in an environment where EL support is provided
+ by the container, it is strongly recommended that this is set to false
+From: https://src.springframework.org/svn/spring-maintenance/tags/release-2-5-6-SEC03/
+Bug-Vendor: http://www.springsource.com/security/cve-2011-2730
+Bug-Debian: http://bugs.debian.org/677814
+--- a/src/org/springframework/web/util/ExpressionEvaluationUtils.java
++++ b/src/org/springframework/web/util/ExpressionEvaluationUtils.java
+@@ -70,6 +70,12 @@
+ public abstract class ExpressionEvaluationUtils {
+ 
+ 	/**
++	 * Expression support parameter at the servlet context level
++	 * (i.e. a context-param in <code>web.xml</code>): "springJspExpressionSupport".
++	 */
++	public static final String EXPRESSION_SUPPORT_CONTEXT_PARAM = "springJspExpressionSupport";
++
++	/**
+ 	 * JSP 2.0 expression cache parameter at the servlet context level
+ 	 * (i.e. a context-param in <code>web.xml</code>): "cacheJspExpressions".
+ 	 */
+@@ -122,6 +128,31 @@
+ 
+ 
+ 	/**
++	 * Check whether Spring's JSP expression support is actually active.
++	 * <p>Note that JSP 2.0+ containers come with expression support themselves:
++	 * However, it will only be active for web applications declaring Servlet 2.4
++	 * or higher in their <code>web.xml</code> deployment descriptor.
++	 * <p>If a <code>web.xml</code> context-param named "springJspExpressionSupport" is
++	 * found, its boolean value will be taken to decide whether this support is active.
++	 * If not found, for backwards compatibility with Servlet 2.3 applications,
++	 * Spring's expression support will remain active by default.
++	 * <p><b>Recommendations:</b> Explicitly set "springJspExpressionSupport" to "false"
++	 * in order to prevent double evaluation for Servlet 2.4+ based applications.
++	 * @param pageContext current JSP PageContext
++	 * @return <code>true</code> if active (ExpressionEvaluationUtils will actually evaluate expressions);
++	 * <code>false</code> if not active (ExpressionEvaluationUtils will return given values as-is,
++	 * relying on the JSP container pre-evaluating values before passing them to JSP tag attributes)
++	 */
++	public static boolean isSpringJspExpressionSupportActive(PageContext pageContext) {
++		ServletContext sc = pageContext.getServletContext();
++		String springJspExpressionSupport = sc.getInitParameter(EXPRESSION_SUPPORT_CONTEXT_PARAM);
++		if (springJspExpressionSupport != null) {
++			return Boolean.valueOf(springJspExpressionSupport).booleanValue();
++		}
++		return true;
++	}
++
++	/**
+ 	 * Check if the given expression value is an EL expression.
+ 	 * @param value the expression to check
+ 	 * @return <code>true</code> if the expression is an EL expression,
+@@ -144,9 +175,9 @@
+ 	 * the result class
+ 	 */
+ 	public static Object evaluate(String attrName, String attrValue, Class resultClass, PageContext pageContext)
+-	    throws JspException {
++			throws JspException {
+ 
+-		if (isExpressionLanguage(attrValue)) {
++		if (isSpringJspExpressionSupportActive(pageContext) && isExpressionLanguage(attrValue)) {
+ 			return doEvaluate(attrName, attrValue, resultClass, pageContext);
+ 		}
+ 		else if (attrValue != null && resultClass != null && !resultClass.isInstance(attrValue)) {
+@@ -167,9 +198,9 @@
+ 	 * @throws JspException in case of parsing errors
+ 	 */
+ 	public static Object evaluate(String attrName, String attrValue, PageContext pageContext)
+-	    throws JspException {
++			throws JspException {
+ 
+-		if (isExpressionLanguage(attrValue)) {
++		if (isSpringJspExpressionSupportActive(pageContext) && isExpressionLanguage(attrValue)) {
+ 			return doEvaluate(attrName, attrValue, Object.class, pageContext);
+ 		}
+ 		else {
+@@ -186,9 +217,9 @@
+ 	 * @throws JspException in case of parsing errors
+ 	 */
+ 	public static String evaluateString(String attrName, String attrValue, PageContext pageContext)
+-	    throws JspException {
++			throws JspException {
+ 
+-		if (isExpressionLanguage(attrValue)) {
++		if (isSpringJspExpressionSupportActive(pageContext) && isExpressionLanguage(attrValue)) {
+ 			return (String) doEvaluate(attrName, attrValue, String.class, pageContext);
+ 		}
+ 		else {
+@@ -207,7 +238,7 @@
+ 	public static int evaluateInteger(String attrName, String attrValue, PageContext pageContext)
+ 			throws JspException {
+ 
+-		if (isExpressionLanguage(attrValue)) {
++		if (isSpringJspExpressionSupportActive(pageContext) && isExpressionLanguage(attrValue)) {
+ 			return ((Integer) doEvaluate(attrName, attrValue, Integer.class, pageContext)).intValue();
+ 		}
+ 		else {
+@@ -224,9 +255,9 @@
+ 	 * @throws JspException in case of parsing errors
+ 	 */
+ 	public static boolean evaluateBoolean(String attrName, String attrValue, PageContext pageContext)
+-	    throws JspException {
++			throws JspException {
+ 
+-		if (isExpressionLanguage(attrValue)) {
++		if (isSpringJspExpressionSupportActive(pageContext) && isExpressionLanguage(attrValue)) {
+ 			return ((Boolean) doEvaluate(attrName, attrValue, Boolean.class, pageContext)).booleanValue();
+ 		}
+ 		else {
+--- a/test/org/springframework/web/util/ExpressionEvaluationUtilsTests.java
++++ b/test/org/springframework/web/util/ExpressionEvaluationUtilsTests.java
+@@ -37,6 +37,14 @@
+  */
+ public class ExpressionEvaluationUtilsTests extends TestCase {
+ 
++	public void testIsSpringJspExpressionSupportActive() {
++		MockServletContext sc = new MockServletContext();
++		PageContext pc = new MockPageContext(sc);
++		assertTrue(ExpressionEvaluationUtils.isSpringJspExpressionSupportActive(pc));
++		sc.addInitParameter("springJspExpressionSupport", "false");
++		assertFalse(ExpressionEvaluationUtils.isSpringJspExpressionSupportActive(pc));
++	}
++
+ 	public void testIsExpressionLanguage() {
+ 		assertTrue(ExpressionEvaluationUtils.isExpressionLanguage("${bla}"));
+ 		assertTrue(ExpressionEvaluationUtils.isExpressionLanguage("bla${bla}"));

Modified: branches/libspring-2.5-java/squeeze/debian/patches/series
===================================================================
--- branches/libspring-2.5-java/squeeze/debian/patches/series	2012-06-16 22:07:17 UTC (rev 16133)
+++ branches/libspring-2.5-java/squeeze/debian/patches/series	2012-06-16 23:41:26 UTC (rev 16134)
@@ -13,3 +13,4 @@
 14_portlet_api.diff
 15_fix_build_with_asm3.diff
 16_commonj.diff
+CVE-2011-2730.diff


