[pkg-java] r7117 - in trunk/tomcat5.5: connectors/coyote/src/java/org/apache/coyote connectors/http11/src/java/org/apache/coyote/http11 connectors/jk/java/org/apache/coyote/ajp connectors/jk/java/org/apache/jk/common container/catalina/src/share/org/apache/catalina/core debian
marcusb-guest at alioth.debian.org
marcusb-guest at alioth.debian.org
Sun Oct 5 12:15:37 UTC 2008
Author: marcusb-guest
Date: 2008-10-05 12:15:37 +0000 (Sun, 05 Oct 2008)
New Revision: 7117
Modified:
trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java
trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java
trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
trunk/tomcat5.5/debian/changelog
Log:
Apply fix for CVE-2008-1232 from http://svn.apache.org/viewvc?view=rev&revision=680947.
Modified: trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java
===================================================================
--- trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -53,4 +53,12 @@
public static final int STAGE_ENDED = 7;
+ /**
+ * If true, custom HTTP status messages will be used in headers.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ Boolean.valueOf(System.getProperty(
+ "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
+ "false")).booleanValue();
+
}
Modified: trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
===================================================================
--- trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -429,11 +429,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(HttpMessages.getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
===================================================================
--- trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -448,11 +448,14 @@
buf[pos++] = Constants.SP;
// Write message
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null) {
write(getMessage(status));
} else {
- write(message);
+ write(message.replace('\n', ' ').replace('\r', ' '));
}
// End the response status line
Modified: trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
===================================================================
--- trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -942,7 +942,10 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
- String message = response.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = response.getMessage();
+ }
if (message == null){
message = HttpMessages.getMessage(response.getStatus());
} else {
Modified: trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java
===================================================================
--- trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -279,7 +279,10 @@
outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS);
outputMsg.appendInt( res.getStatus() );
- String message=res.getMessage();
+ String message = null;
+ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
+ message = res.getMessage();
+ }
if( message==null ){
message= HttpMessages.getMessage(res.getStatus());
} else {
Modified: trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
===================================================================
--- trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java 2008-10-05 12:15:37 UTC (rev 7117)
@@ -119,8 +119,7 @@
|| (requestPathMB.equalsIgnoreCase("/META-INF"))
|| (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
|| (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -136,8 +135,7 @@
// Select the Wrapper to be used for this Request
Wrapper wrapper = request.getWrapper();
if (wrapper == null) {
- String requestURI = request.getDecodedRequestURI();
- notFound(requestURI, response);
+ notFound(response);
return;
}
@@ -206,13 +204,12 @@
* application, but currently that code runs at the wrapper level rather
* than the context level.
*
- * @param requestURI The request URI for the requested resource
* @param response The response we are creating
*/
- private void notFound(String requestURI, HttpServletResponse response) {
+ private void notFound(HttpServletResponse response) {
try {
- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
+ response.sendError(HttpServletResponse.SC_NOT_FOUND);
} catch (IllegalStateException e) {
;
} catch (IOException e) {
Modified: trunk/tomcat5.5/debian/changelog
===================================================================
--- trunk/tomcat5.5/debian/changelog 2008-10-05 12:09:51 UTC (rev 7116)
+++ trunk/tomcat5.5/debian/changelog 2008-10-05 12:15:37 UTC (rev 7117)
@@ -1,3 +1,10 @@
+tomcat5.5 (5.5.26-4) unstable; urgency=high
+
+ * Security issues fixed.
+ - CVE-2008-1232: Cross-site scripting.
+
+ -- Marcus Better <marcus at better.se> Sun, 05 Oct 2008 14:15:19 +0200
+
tomcat5.5 (5.5.26-3) unstable; urgency=high
* CVE-2008-1947: Fix XSS issue in host-manager web application.
More information about the pkg-java-commits
mailing list