[tomcat8] 01/01: CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
Emmanuel Bourg
ebourg-guest at moszumanska.debian.org
Sat Dec 17 00:54:31 UTC 2016
This is an automated email from the git hooks/post-receive script.
ebourg-guest pushed a commit to branch jessie
in repository tomcat8.
commit 54f82c0d5a6136759c22770852eccbfdf062eebd
Author: Emmanuel Bourg <ebourg at apache.org>
Date: Sat Dec 17 01:53:40 2016 +0100
CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
---
debian/changelog | 1 +
debian/patches/CVE-2015-5345.patch | 66 +++++++++++++++++++++++++++++++++++---
2 files changed, 62 insertions(+), 5 deletions(-)
diff --git a/debian/changelog b/debian/changelog
index 526f8d1..f51469c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium
a ClassNotFoundException when the security manager is enabled (see #846298)
* CVE-2016-6797 follow-up: Fixed a regression preventing some applications
from accessing the global resources (see #845425)
+ * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
* Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
with recent JREs
* Backported a fix disabling the broken SSLv3 tests
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index 32904fe..787069d 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -4,6 +4,7 @@ Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processe
a trailing / (slash) character.
Author: Markus Koschany <apo at debian.org>
Origin: backport, https://svn.apache.org/r1715207
+ https://svn.apache.org/r1717208
https://svn.apache.org/r1717209
--- a/java/org/apache/catalina/Context.java
+++ b/java/org/apache/catalina/Context.java
@@ -198,7 +199,7 @@ Origin: backport, https://svn.apache.org/r1715207
// shouldn't be any)
--- a/java/org/apache/catalina/servlets/DefaultServlet.java
+++ b/java/org/apache/catalina/servlets/DefaultServlet.java
-@@ -342,6 +342,10 @@
+@@ -342,42 +342,40 @@
* @param request The servlet request we are processing
*/
protected String getRelativePath(HttpServletRequest request) {
@@ -209,7 +210,62 @@ Origin: backport, https://svn.apache.org/r1715207
// IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
// serves resources from the web app root with context rooted paths.
// i.e. it can not be used to mount the web app root under a sub-path
-@@ -703,7 +707,8 @@
+ // This method must construct a complete context rooted path, although
+ // subclasses can change this behaviour.
+
+- // Are we being processed by a RequestDispatcher.include()?
+- if (request.getAttribute(
+- RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+- String result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_PATH_INFO);
+- if (result == null) {
+- result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_SERVLET_PATH);
+- } else {
+- result = (String) request.getAttribute(
+- RequestDispatcher.INCLUDE_SERVLET_PATH) + result;
+- }
+- if ((result == null) || (result.equals(""))) {
+- result = "/";
+- }
+- return (result);
+- }
++ String servletPath;
++ String pathInfo;
+
+- // No, extract the desired path directly from the request
+- String result = request.getPathInfo();
+- if (result == null) {
+- result = request.getServletPath();
++ if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
++ // For includes, get the info from the attributes
++ pathInfo = (String) request.getAttribute(RequestDispatcher.INCLUDE_PATH_INFO);
++ servletPath = (String) request.getAttribute(RequestDispatcher.INCLUDE_SERVLET_PATH);
+ } else {
+- result = request.getServletPath() + result;
++ pathInfo = request.getPathInfo();
++ servletPath = request.getServletPath();
++ }
++
++ StringBuilder result = new StringBuilder();
++ if (servletPath.length() > 0) {
++ result.append(servletPath);
++ }
++ if (pathInfo != null) {
++ result.append(pathInfo);
+ }
+- if ((result == null) || (result.equals(""))) {
+- result = "/";
++ if (result.length() == 0 && !allowEmptyPath) {
++ result.append('/');
+ }
+- return (result);
+
++ return result.toString();
+ }
+
+
+@@ -703,7 +701,8 @@
boolean serveContent = content;
// Identify the requested resource path
@@ -219,7 +275,7 @@ Origin: backport, https://svn.apache.org/r1715207
if (debug > 0) {
if (serveContent)
log("DefaultServlet.serveResource: Serving resource '" +
-@@ -713,6 +718,12 @@
+@@ -713,6 +712,12 @@
path + "' headers only");
}
@@ -232,7 +288,7 @@ Origin: backport, https://svn.apache.org/r1715207
WebResource resource = resources.getResource(path);
if (!resource.exists()) {
-@@ -827,6 +838,11 @@
+@@ -827,6 +832,11 @@
long contentLength = -1L;
if (resource.isDirectory()) {
@@ -244,7 +300,7 @@ Origin: backport, https://svn.apache.org/r1715207
// Skip directory listings if we have been configured to
// suppress them
if (!listings) {
-@@ -1032,6 +1048,16 @@
+@@ -1032,6 +1042,16 @@
}
}
--
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git
More information about the pkg-java-commits
mailing list