[Git][java-team/jetty9][stretch] Add CVE-2022-2047.patch
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Jul 20 14:47:44 BST 2022
Markus Koschany pushed to branch stretch at Debian Java Maintainers / jetty9
Commits:
3e2ed9be by Markus Koschany at 2022-07-20T15:47:29+02:00
Add CVE-2022-2047.patch
- - - - -
2 changed files:
- + debian/patches/CVE-2022-2047.patch
- debian/patches/series
Changes:
=====================================
debian/patches/CVE-2022-2047.patch
=====================================
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 18 Jul 2022 14:05:22 +0200
+Subject: CVE-2022-2047
+
+Now always adding a "/" before the path, if not already present.
+
+Origin: https://github.com/eclipse/jetty.project/pull/8146/commits/878ff231867c5d257eeb2340b739cd84dd233c26
+---
+ .../src/main/java/org/eclipse/jetty/client/HttpRequest.java | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+index 58c9295..c3b099c 100644
+--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
++++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+@@ -174,6 +174,8 @@ public class HttpRequest implements Request
+ rawPath = path;
+ if (rawPath == null)
+ rawPath = "";
++ if (!rawPath.startsWith("/"))
++ rawPath = "/" + rawPath;
+ this.path = rawPath;
+ String query = uri.getRawQuery();
+ if (query != null)
+@@ -793,16 +795,20 @@ public class HttpRequest implements Request
+ return result;
+ }
+
+- private URI newURI(String uri)
++ private URI newURI(String path)
+ {
+ try
+ {
+- return new URI(uri);
++ // Handle specially the "OPTIONS *" case, since it is possible to create a URI from "*" (!).
++ if ("*".equals(path))
++ return null;
++ URI result = new URI(path);
++ return result.isOpaque() ? null : result;
+ }
+ catch (URISyntaxException x)
+ {
+ // The "path" of a HTTP request may not be a URI,
+- // for example for CONNECT 127.0.0.1:8080 or OPTIONS *.
++ // for example for CONNECT 127.0.0.1:8080.
+ return null;
+ }
+ }
=====================================
debian/patches/series
=====================================
@@ -6,3 +6,4 @@
ecj-dependency.patch
CVE-2020-27216.patch
CVE-2021-28169.patch
+CVE-2022-2047.patch
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1
--
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20220720/034f899a/attachment.htm>
More information about the pkg-java-commits
mailing list