[tomcat7] 01/01: Missing test changes for CVE-2013-2071
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Mon Mar 10 10:15:59 UTC 2014
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch wheezy
in repository tomcat7.
commit 68d592e0a513346b6baad1e21296331916078a4c
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Mon Mar 10 10:30:44 2014 +0100
Missing test changes for CVE-2013-2071
---
debian/patches/0020-CVE-2013-2071.patch | 180 +++++++++++++++++++++++++++++++-
1 file changed, 175 insertions(+), 5 deletions(-)
diff --git a/debian/patches/0020-CVE-2013-2071.patch b/debian/patches/0020-CVE-2013-2071.patch
index 856e863..1b05921 100644
--- a/debian/patches/0020-CVE-2013-2071.patch
+++ b/debian/patches/0020-CVE-2013-2071.patch
@@ -1,11 +1,11 @@
Description: Fix for CVE-2013-2071: A runtime exception in AsyncListener.onComplete()
prevents the request from being recycled. This may expose elements of a previous
request to a current request.
-Origin: backport from Tomcat 7.0.40, http://svn.apache.org/r1471372
+Origin: backport from Tomcat 7.0.40, http://svn.apache.org/r1471372, http://svn.apache.org/r1475792 and http://svn.apache.org/r1453622
Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
--- a/java/org/apache/catalina/core/AsyncContextImpl.java
+++ b/java/org/apache/catalina/core/AsyncContextImpl.java
-@@ -98,9 +98,10 @@ public class AsyncContextImpl implements
+@@ -98,9 +98,10 @@
for (AsyncListenerWrapper listener : listenersCopy) {
try {
listener.fireOnComplete(event);
@@ -18,7 +18,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
}
}
}
-@@ -115,7 +116,13 @@ public class AsyncContextImpl implements
+@@ -115,7 +116,13 @@
new ArrayList<AsyncListenerWrapper>();
listenersCopy.addAll(listeners);
for (AsyncListenerWrapper listener : listenersCopy) {
@@ -33,7 +33,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
listenerInvoked = true;
}
if (listenerInvoked) {
-@@ -294,9 +301,10 @@ public class AsyncContextImpl implements
+@@ -294,9 +301,10 @@
for (AsyncListenerWrapper listener : listenersCopy) {
try {
listener.fireOnStartAsync(event);
@@ -46,7 +46,7 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
}
}
listeners.clear();
-@@ -357,9 +365,10 @@ public class AsyncContextImpl implements
+@@ -357,9 +365,10 @@
for (AsyncListenerWrapper listener : listenersCopy) {
try {
listener.fireOnError(errorEvent);
@@ -60,3 +60,173 @@ Bug: https://issues.apache.org/bugzilla/show_bug.cgi?id=54178
}
}
}
+--- a/test/org/apache/catalina/core/TestAsyncContextImpl.java
++++ b/test/org/apache/catalina/core/TestAsyncContextImpl.java
+@@ -19,6 +19,7 @@
+
+ import java.io.File;
+ import java.io.IOException;
++import java.io.PrintWriter;
+ import java.util.LinkedHashMap;
+ import java.util.List;
+ import java.util.Map;
+@@ -448,15 +449,8 @@
+ StringBuilder expected = new StringBuilder("requestInitialized-");
+ expected.append("TimeoutServletGet-onTimeout-");
+ if (completeOnTimeout) {
+- if (dispatchUrl == null) {
+- expected.append("onComplete-");
+- expected.append("requestDestroyed");
+- } else {
+- // Error - no further output
+- // There is no onComplete- since the complete event would be
+- // fired during post processing but since there is an error that
+- // never happens.
+- }
++ expected.append("onComplete-");
++ expected.append("requestDestroyed");
+ } else {
+ if (dispatchUrl == null) {
+ expected.append("onError-");
+@@ -469,12 +463,7 @@
+ assertEquals(expected.toString(), res.toString());
+
+ // Check the access log
+- if (completeOnTimeout && dispatchUrl != null) {
+- // This error is written into Host-level AccessLogValve only
+- alvGlobal.validateAccessLog(1, 500, 0, TimeoutServlet.ASYNC_TIMEOUT
+- + TIMEOUT_MARGIN + REQUEST_TIME);
+- alv.validateAccessLog(0, 500, 0, 0);
+- } else {
++ {
+ alvGlobal.validateAccessLog(1, 200, TimeoutServlet.ASYNC_TIMEOUT,
+ TimeoutServlet.ASYNC_TIMEOUT + TIMEOUT_MARGIN +
+ REQUEST_TIME);
+@@ -1162,7 +1151,7 @@
+
+ private static final long serialVersionUID = 1L;
+
+- private int status = 200;
++ private int status;
+
+ public AsyncStatusServlet(int status) {
+ this.status = status;
+@@ -1360,4 +1349,107 @@
+ }
+ }
+
++ @Test
++ public void testBug54178() throws Exception {
++ // Setup Tomcat instance
++ Tomcat tomcat = getTomcatInstance();
++
++ // Must have a real docBase - just use temp
++ File docBase = new File(System.getProperty("java.io.tmpdir"));
++
++ Context ctx = tomcat.addContext("", docBase.getAbsolutePath());
++
++ Bug54178ServletA bug54178ServletA = new Bug54178ServletA();
++ Wrapper wrapper =
++ Tomcat.addServlet(ctx, "bug54178ServletA", bug54178ServletA);
++ wrapper.setAsyncSupported(true);
++ ctx.addServletMapping("/bug54178ServletA", "bug54178ServletA");
++
++ Bug54178ServletB bug54178ServletB = new Bug54178ServletB();
++ Tomcat.addServlet(ctx, "bug54178ServletB", bug54178ServletB);
++ ctx.addServletMapping("/bug54178ServletB", "bug54178ServletB");
++
++ tomcat.start();
++
++ ByteChunk body = new ByteChunk();
++ int rc = -1;
++
++ try {
++ rc = getUrl("http://localhost:" + getPort() + "/bug54178ServletA?" +
++ Bug54178ServletA.PARAM_NAME + "=bar",
++ body, null);
++ } catch (IOException ioe) {
++ // This may happen if test fails. Output the exception in case it is
++ // useful and let asserts handle the failure
++ ioe.printStackTrace();
++ }
++
++ assertEquals(HttpServletResponse.SC_OK, rc);
++
++ body.recycle();
++
++ rc = getUrl("http://localhost:" + getPort() + "/bug54178ServletB",
++ body, null);
++
++ assertEquals(HttpServletResponse.SC_OK, rc);
++ assertEquals("OK", body.toString());
++ }
++
++ private static class Bug54178ServletA extends HttpServlet {
++
++ public static final String PARAM_NAME = "foo";
++ private static final long serialVersionUID = 1L;
++
++ @Override
++ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
++ throws ServletException, IOException {
++
++ req.getParameter(PARAM_NAME);
++ AsyncContext actxt = req.startAsync();
++ actxt.addListener(new Bug54178AsyncListener());
++ actxt.complete();
++ }
++ }
++
++ private static class Bug54178ServletB extends HttpServlet {
++
++ private static final long serialVersionUID = 1L;
++
++ @Override
++ protected void doGet(HttpServletRequest req, HttpServletResponse resp)
++ throws ServletException, IOException {
++
++ resp.setContentType("text/plain");
++ PrintWriter pw = resp.getWriter();
++ String result = req.getParameter(Bug54178ServletA.PARAM_NAME);
++ if (result == null) {
++ pw.write("OK");
++ } else {
++ pw.write("FAIL");
++ }
++ }
++ }
++
++ private static class Bug54178AsyncListener implements AsyncListener {
++
++ @Override
++ public void onComplete(AsyncEvent event) throws IOException {
++ throw new RuntimeException("Testing Bug54178");
++ }
++
++ @Override
++ public void onTimeout(AsyncEvent event) throws IOException {
++ // NO-OP
++ }
++
++ @Override
++ public void onError(AsyncEvent event) throws IOException {
++ // NO-OP
++ }
++
++ @Override
++ public void onStartAsync(AsyncEvent event) throws IOException {
++ // NO-OP
++ }
++ }
+ }
+--- a/test/org/apache/catalina/tribes/group/TestGroupChannelMemberArrival.java
++++ b/test/org/apache/catalina/tribes/group/TestGroupChannelMemberArrival.java
+@@ -71,7 +71,7 @@
+ for (int i = 0; i < threads.length; i++) {
+ threads[i].join();
+ }
+- Thread.sleep(2000);
++ Thread.sleep(5000);
+ System.out.println(System.currentTimeMillis()
+ + " All channels started.");
+ for (int i = listeners.length - 1; i >= 0; i--) {
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat7.git
More information about the pkg-java-commits
mailing list