[Git][java-team/jetty9][stretch] Add CVE-2022-2047.patch

Markus Koschany (@apo) gitlab at salsa.debian.org
Wed Jul 20 14:47:44 BST 2022 


Markus Koschany pushed to branch stretch at Debian Java Maintainers / jetty9


Commits:
3e2ed9be by Markus Koschany at 2022-07-20T15:47:29+02:00
Add CVE-2022-2047.patch

- - - - -


2 changed files:

- + debian/patches/CVE-2022-2047.patch
- debian/patches/series


Changes:

=====================================
debian/patches/CVE-2022-2047.patch
=====================================
@@ -0,0 +1,48 @@
+From: Markus Koschany <apo at debian.org>
+Date: Mon, 18 Jul 2022 14:05:22 +0200
+Subject: CVE-2022-2047
+
+Now always adding a "/" before the path, if not already present.
+
+Origin: https://github.com/eclipse/jetty.project/pull/8146/commits/878ff231867c5d257eeb2340b739cd84dd233c26
+---
+ .../src/main/java/org/eclipse/jetty/client/HttpRequest.java  | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+index 58c9295..c3b099c 100644
+--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
++++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java
+@@ -174,6 +174,8 @@ public class HttpRequest implements Request
+                 rawPath = path;
+             if (rawPath == null)
+                 rawPath = "";
++            if (!rawPath.startsWith("/"))
++                rawPath = "/" + rawPath;
+             this.path = rawPath;
+             String query = uri.getRawQuery();
+             if (query != null)
+@@ -793,16 +795,20 @@ public class HttpRequest implements Request
+         return result;
+     }
+ 
+-    private URI newURI(String uri)
++    private URI newURI(String path)
+     {
+         try
+         {
+-            return new URI(uri);
++            // Handle specially the "OPTIONS *" case, since it is possible to create a URI from "*" (!).
++            if ("*".equals(path))
++                return null;
++            URI result = new URI(path);
++            return result.isOpaque() ? null : result;
+         }
+         catch (URISyntaxException x)
+         {
+             // The "path" of a HTTP request may not be a URI,
+-            // for example for CONNECT 127.0.0.1:8080 or OPTIONS *.
++            // for example for CONNECT 127.0.0.1:8080.
+             return null;
+         }
+     }


=====================================
debian/patches/series
=====================================
@@ -6,3 +6,4 @@
 ecj-dependency.patch
 CVE-2020-27216.patch
 CVE-2021-28169.patch
+CVE-2022-2047.patch



View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1

-- 
View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20220720/034f899a/attachment.htm>

More information about the pkg-java-commits mailing list