[pkg-java] r11389 - trunk/libstruts1.2-java/debian/patches

Niels Thykier nthykier-guest at alioth.debian.org
Fri Jan 22 12:36:27 UTC 2010


Author: nthykier-guest
Date: 2010-01-22 12:36:24 +0000 (Fri, 22 Jan 2010)
New Revision: 11389

Added:
   trunk/libstruts1.2-java/debian/patches/02_CVE-2008-2025.patch
Modified:
   trunk/libstruts1.2-java/debian/patches/01_build_javac_target.patch
Log:
Added NMU patch and added description to existing patch.


Modified: trunk/libstruts1.2-java/debian/patches/01_build_javac_target.patch
===================================================================
--- trunk/libstruts1.2-java/debian/patches/01_build_javac_target.patch	2010-01-22 11:39:29 UTC (rev 11388)
+++ trunk/libstruts1.2-java/debian/patches/01_build_javac_target.patch	2010-01-22 12:36:24 UTC (rev 11389)
@@ -1,5 +1,7 @@
---- build.xml.old 2006-03-09 15:32:38.000000000 +0000
-+++ build.xml	2006-04-24 10:26:48.000000000 +0000
+Description: Puts in missing "target" attribute to the compiler (prevents FTBFS).
+
+--- a/build.xml 2006-03-09 15:32:38.000000000 +0000
++++ b/build.xml	2006-04-24 10:26:48.000000000 +0000
 @@ -398,7 +398,8 @@
              destdir="${build.home}/library/classes"
              debug="${compile.debug}"

Added: trunk/libstruts1.2-java/debian/patches/02_CVE-2008-2025.patch
===================================================================
--- trunk/libstruts1.2-java/debian/patches/02_CVE-2008-2025.patch	                        (rev 0)
+++ trunk/libstruts1.2-java/debian/patches/02_CVE-2008-2025.patch	2010-01-22 12:36:24 UTC (rev 11389)
@@ -0,0 +1,331 @@
+Description: Fixes CVE-2008-2025 Cross-site scripting (XSS) vulnerability
+Author: Giuseppe Iuculano <iuculano at debian.org>
+
+diff --git a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+index 403ff97..386ccf3 100644
+--- a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
++++ b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.taglib.logic.IterateTag;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Base class for tags that render form elements capable of including JavaScript
+@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends BodyTagSupport {
+      */
+     protected void prepareAttribute(StringBuffer handlers, String name, Object value) {
+         if (value != null) {
++            if (name.indexOf('"') >= 0)
++                throw new IllegalArgumentException("quote character in attribute name");
+             handlers.append(" ");
+             handlers.append(name);
+             handlers.append("=\"");
+-            handlers.append(value);
++            handlers.append(ResponseUtils.filterIfQuote(value.toString()));
+             handlers.append("\"");
+         }
+     }
+diff --git a/src/share/org/apache/struts/taglib/html/FormTag.java b/src/share/org/apache/struts/taglib/html/FormTag.java
+index e8eb9b4..ba2d782 100644
+--- a/src/share/org/apache/struts/taglib/html/FormTag.java
++++ b/src/share/org/apache/struts/taglib/html/FormTag.java
+@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Custom tag that represents an input form, associated with a bean whose
+@@ -547,10 +548,10 @@ public class FormTag extends TagSupport {
+ 
+         results.append(" action=\"");
+         results.append(
+-            response.encodeURL(
++            ResponseUtils.filterIfQuote(response.encodeURL(
+                 TagUtils.getInstance().getActionMappingURL(
+                     this.action,
+-                    this.pageContext)));
++                    this.pageContext))));
+                 
+         results.append("\"");
+     }
+@@ -580,7 +581,7 @@ public class FormTag extends TagSupport {
+                 results.append("<div><input type=\"hidden\" name=\"");
+                 results.append(Constants.TOKEN_KEY);
+                 results.append("\" value=\"");
+-                results.append(token);
++                results.append(ResponseUtils.filterIfQuote(token));
+                 if (this.isXhtml()) {
+                     results.append("\" />");
+                 } else {
+@@ -598,10 +599,12 @@ public class FormTag extends TagSupport {
+      */
+     protected void renderAttribute(StringBuffer results, String attribute, String value) {
+         if (value != null) {
++            if (attribute.indexOf('"') >= 0)
++                throw new IllegalArgumentException("quote character in attribute name");
+             results.append(" ");
+             results.append(attribute);
+             results.append("=\"");
+-            results.append(value);
++            results.append(ResponseUtils.filterIfQuote(value));
+             results.append("\"");
+         }
+     }
+diff --git a/src/share/org/apache/struts/taglib/html/HtmlTag.java b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+index fb64875..d4da38d 100644
+--- a/src/share/org/apache/struts/taglib/html/HtmlTag.java
++++ b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Renders an HTML <html> element with appropriate language attributes if
+@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport {
+ 
+         if ((this.lang || this.locale || this.xhtml) && validLanguage) {
+             sb.append(" lang=\"");
+-            sb.append(language);
++            sb.append(ResponseUtils.filterIfQuote(language));
+             if (validCountry) {
+                 sb.append("-");
+-                sb.append(country);
++                sb.append(ResponseUtils.filterIfQuote(country));
+             }
+             sb.append("\"");
+         }
+ 
+         if (this.xhtml && validLanguage) {
+             sb.append(" xml:lang=\"");
+-            sb.append(language);
++            sb.append(ResponseUtils.filterIfQuote(language));
+             if (validCountry) {
+                 sb.append("-");
+-                sb.append(country);
++                sb.append(ResponseUtils.filterIfQuote(country));
+             }
+             sb.append("\"");
+         }
+diff --git a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+index 77d7dba..5da8317 100644
+--- a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
++++ b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+@@ -45,6 +45,7 @@ import org.apache.struts.Globals;
+ import org.apache.struts.action.ActionMapping;
+ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.validator.Resources;
+ import org.apache.struts.validator.ValidatorPlugIn;
+@@ -850,7 +851,7 @@ public class JavascriptValidatorTag extends BodyTagSupport {
+         }
+ 
+         if (this.src != null) {
+-            start.append(" src=\"" + src + "\"");
++            start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
+         }
+ 
+         start.append("> \n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionTag.java b/src/share/org/apache/struts/taglib/html/OptionTag.java
+index 4df5c95..e9e4b2e 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionTag.java
+@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Tag for select options.  The body of this tag is presented to the user
+@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSupport {
+     protected String renderOptionElement() throws JspException {
+         StringBuffer results = new StringBuffer("<option value=\"");
+         
+-        results.append(this.value);
++        results.append(ResponseUtils.filterIfQuote(this.value));
+         results.append("\"");
+         if (disabled) {
+             results.append(" disabled=\"disabled\"");
+@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSupport {
+         }
+         if (style != null) {
+             results.append(" style=\"");
+-            results.append(style);
++            results.append(ResponseUtils.filterIfQuote(style));
+             results.append("\"");
+         }
+         if (styleId != null) {
+             results.append(" id=\"");
+-            results.append(styleId);
++            results.append(ResponseUtils.filterIfQuote(styleId));
+             results.append("\"");
+         }
+         if (styleClass != null) {
+             results.append(" class=\"");
+-            results.append(styleClass);
++            results.append(ResponseUtils.filterIfQuote(styleClass));
+             results.append("\"");
+         }
+         results.append(">");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+index 9999259..e5ecb66 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+@@ -30,6 +30,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+ 
+ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+ 
+@@ -291,7 +292,7 @@ public class OptionsCollectionTag extends TagSupport {
+         if (filter) {
+             sb.append(TagUtils.getInstance().filter(value));
+         } else {
+-            sb.append(value);
++            sb.append(ResponseUtils.filterIfQuote(value));
+         }
+         sb.append("\"");
+         if (matched) {
+@@ -299,12 +300,12 @@ public class OptionsCollectionTag extends TagSupport {
+         }
+         if (style != null) {
+             sb.append(" style=\"");
+-            sb.append(style);
++            sb.append(ResponseUtils.filterIfQuote(style));
+             sb.append("\"");
+         }
+         if (styleClass != null) {
+             sb.append(" class=\"");
+-            sb.append(styleClass);
++            sb.append(ResponseUtils.filterIfQuote(styleClass));
+             sb.append("\"");
+         }
+         
+@@ -313,7 +314,7 @@ public class OptionsCollectionTag extends TagSupport {
+         if (filter) {
+             sb.append(TagUtils.getInstance().filter(label));
+         } else {
+-            sb.append(label);
++            sb.append(ResponseUtils.filterIfQuote(label));
+         }
+         
+         sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsTag.java b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+index 90d716a..dbc14cf 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Tag for creating multiple &lt;select&gt; options from a collection.  The
+@@ -313,7 +314,7 @@ public class OptionsTag extends TagSupport {
+         if (filter) {
+             sb.append(TagUtils.getInstance().filter(value));
+         } else {
+-            sb.append(value);
++            sb.append(ResponseUtils.filterIfQuote(value));
+         }
+         sb.append("\"");
+         if (matched) {
+@@ -321,12 +322,12 @@ public class OptionsTag extends TagSupport {
+         }
+         if (style != null) {
+             sb.append(" style=\"");
+-            sb.append(style);
++            sb.append(ResponseUtils.filterIfQuote(style));
+             sb.append("\"");
+         }
+         if (styleClass != null) {
+             sb.append(" class=\"");
+-            sb.append(styleClass);
++            sb.append(ResponseUtils.filterIfQuote(styleClass));
+             sb.append("\"");
+         }
+         
+@@ -335,7 +336,7 @@ public class OptionsTag extends TagSupport {
+         if (filter) {
+             sb.append(TagUtils.getInstance().filter(label));
+         } else {
+-            sb.append(label);
++            sb.append(ResponseUtils.filterIfQuote(label));
+         }
+         
+         sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/RewriteTag.java b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+index 804e50c..63a2f03 100644
+--- a/src/share/org/apache/struts/taglib/html/RewriteTag.java
++++ b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+@@ -24,6 +24,7 @@ import java.util.Map;
+ import javax.servlet.jsp.JspException;
+ 
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+ 
+ /**
+  * Generate a URL-encoded URI as a string.
+@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag {
+                 (messages.getMessage("rewrite.url", e.toString()));
+         }
+ 
+-        TagUtils.getInstance().write(pageContext, url);
++        TagUtils.getInstance().write(pageContext,
++                ResponseUtils.filterIfQuote(url));
+ 
+         return (SKIP_BODY);
+ 
+diff --git a/src/share/org/apache/struts/util/ResponseUtils.java b/src/share/org/apache/struts/util/ResponseUtils.java
+index 4588bb2..fe7e517 100644
+--- a/src/share/org/apache/struts/util/ResponseUtils.java
++++ b/src/share/org/apache/struts/util/ResponseUtils.java
+@@ -137,6 +137,37 @@ public class ResponseUtils {
+     }
+ 
+ 
++    /**
++     * Replace double-quote characters in the input string with
++     * proper HTML encoding.
++     * 
++     * No other HTML-encoding is performed.  As a result, the return value
++     * can only be safely used in (X)HTML attributes surrounded by
++     * double-quote characters (<code>"</code>).
++     * 
++     * <p>Note that you should not use this function in new code.
++     * It is only intended for old code which needs to be
++     * backwards-compatible with incompletely-quoted attributes.
++     * 
++     * @return a fresh string object if quoting is needed,
++     *   otherwise the input string
++     */
++    public static String filterIfQuote(String value) {
++    	if (value == null)
++    		return null;
++    	if (value.indexOf('"') >= 0) {
++    		StringBuffer sb = new StringBuffer(value.length() + 2);
++    		for (int i = 0; i < value.length(); ++i) {
++    			final char ch = value.charAt(i);
++    			if (ch == '"')
++    				sb.append("&quot;");
++    			else
++    				sb.append(ch);
++    		}
++    		return sb.toString();
++    	}
++    	return value;
++    }
+ 
+     
+     /**




More information about the pkg-java-commits mailing list