[tomcat8] 01/01: CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet

Emmanuel Bourg ebourg-guest at moszumanska.debian.org
Sat Dec 17 00:54:31 UTC 2016 

This is an automated email from the git hooks/post-receive script.

ebourg-guest pushed a commit to branch jessie
in repository tomcat8.

commit 54f82c0d5a6136759c22770852eccbfdf062eebd
Author: Emmanuel Bourg <ebourg at apache.org>
Date:   Sat Dec 17 01:53:40 2016 +0100

    CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
---
 debian/changelog                   |  1 +
 debian/patches/CVE-2015-5345.patch | 66 +++++++++++++++++++++++++++++++++++---
 2 files changed, 62 insertions(+), 5 deletions(-)

diff --git a/debian/changelog b/debian/changelog
index 526f8d1..f51469c 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -20,6 +20,7 @@ tomcat8 (8.0.14-1+deb8u5) UNRELEASED; urgency=medium
     a ClassNotFoundException when the security manager is enabled (see #846298)
   * CVE-2016-6797 follow-up: Fixed a regression preventing some applications
     from accessing the global resources (see #845425)
+  * CVE-2015-5345 follow-up: Applied a missing modification to DefaultServlet
   * Backported a fix for a test failure in Test*NonLoginAndBasicAuthenticator
     with recent JREs
   * Backported a fix disabling the broken SSLv3 tests
diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch
index 32904fe..787069d 100644
--- a/debian/patches/CVE-2015-5345.patch
+++ b/debian/patches/CVE-2015-5345.patch
@@ -4,6 +4,7 @@ Description: Fixes CVE-2015-5345: The Mapper component in Apache Tomcat processe
  a trailing / (slash) character.
 Author: Markus Koschany <apo at debian.org>
 Origin: backport, https://svn.apache.org/r1715207
+                  https://svn.apache.org/r1717208
                   https://svn.apache.org/r1717209
 --- a/java/org/apache/catalina/Context.java
 +++ b/java/org/apache/catalina/Context.java
@@ -198,7 +199,7 @@ Origin: backport, https://svn.apache.org/r1715207
                      // shouldn't be any)
 --- a/java/org/apache/catalina/servlets/DefaultServlet.java
 +++ b/java/org/apache/catalina/servlets/DefaultServlet.java
-@@ -342,6 +342,10 @@
+@@ -342,42 +342,40 @@
       * @param request The servlet request we are processing
       */
      protected String getRelativePath(HttpServletRequest request) {
@@ -209,7 +210,62 @@ Origin: backport, https://svn.apache.org/r1715207
          // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always
          // serves resources from the web app root with context rooted paths.
          // i.e. it can not be used to mount the web app root under a sub-path
-@@ -703,7 +707,8 @@
+         // This method must construct a complete context rooted path, although
+         // subclasses can change this behaviour.
+ 
+-        // Are we being processed by a RequestDispatcher.include()?
+-        if (request.getAttribute(
+-                RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
+-            String result = (String) request.getAttribute(
+-                    RequestDispatcher.INCLUDE_PATH_INFO);
+-            if (result == null) {
+-                result = (String) request.getAttribute(
+-                        RequestDispatcher.INCLUDE_SERVLET_PATH);
+-            } else {
+-                result = (String) request.getAttribute(
+-                        RequestDispatcher.INCLUDE_SERVLET_PATH) + result;
+-            }
+-            if ((result == null) || (result.equals(""))) {
+-                result = "/";
+-            }
+-            return (result);
+-        }
++        String servletPath;
++        String pathInfo;
+ 
+-        // No, extract the desired path directly from the request
+-        String result = request.getPathInfo();
+-        if (result == null) {
+-            result = request.getServletPath();
++        if (request.getAttribute(RequestDispatcher.INCLUDE_REQUEST_URI) != null) {
++            // For includes, get the info from the attributes
++            pathInfo = (String) request.getAttribute(RequestDispatcher.INCLUDE_PATH_INFO);
++            servletPath = (String) request.getAttribute(RequestDispatcher.INCLUDE_SERVLET_PATH);
+         } else {
+-            result = request.getServletPath() + result;
++            pathInfo = request.getPathInfo();
++            servletPath = request.getServletPath();
++        }
++
++        StringBuilder result = new StringBuilder();
++        if (servletPath.length() > 0) {
++            result.append(servletPath);
++        }
++        if (pathInfo != null) {
++            result.append(pathInfo);
+         }
+-        if ((result == null) || (result.equals(""))) {
+-            result = "/";
++        if (result.length() == 0 && !allowEmptyPath) {
++            result.append('/');
+         }
+-        return (result);
+ 
++        return result.toString();
+     }
+ 
+ 
+@@ -703,7 +701,8 @@
          boolean serveContent = content;
  
          // Identify the requested resource path
@@ -219,7 +275,7 @@ Origin: backport, https://svn.apache.org/r1715207
          if (debug > 0) {
              if (serveContent)
                  log("DefaultServlet.serveResource:  Serving resource '" +
-@@ -713,6 +718,12 @@
+@@ -713,6 +712,12 @@
                      path + "' headers only");
          }
  
@@ -232,7 +288,7 @@ Origin: backport, https://svn.apache.org/r1715207
          WebResource resource = resources.getResource(path);
  
          if (!resource.exists()) {
-@@ -827,6 +838,11 @@
+@@ -827,6 +832,11 @@
          long contentLength = -1L;
  
          if (resource.isDirectory()) {
@@ -244,7 +300,7 @@ Origin: backport, https://svn.apache.org/r1715207
              // Skip directory listings if we have been configured to
              // suppress them
              if (!listings) {
-@@ -1032,6 +1048,16 @@
+@@ -1032,6 +1042,16 @@
          }
      }
  

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git

More information about the pkg-java-commits mailing list