[Git][java-team/tomcat9][bullseye] 4 commits: Fix CVE-2022-42252, CVE-2022-45143, CVE-2023-28708
Markus Koschany (@apo)
gitlab at salsa.debian.org
Wed Apr 5 16:59:22 BST 2023
Markus Koschany pushed to branch bullseye at Debian Java Maintainers / tomcat9
Commits:
cdb5362a by Markus Koschany at 2023-04-05T08:23:18+02:00
Fix CVE-2022-42252, CVE-2022-45143, CVE-2023-28708
- - - - -
e65335e5 by Markus Koschany at 2023-04-05T08:24:11+02:00
Update changelog
- - - - -
d42fad10 by Markus Koschany at 2023-04-05T17:47:19+02:00
Update changelog
- - - - -
ba9ffe0d by Markus Koschany at 2023-04-05T17:53:07+02:00
Update patch headers
- - - - -
5 changed files:
- debian/changelog
- + debian/patches/CVE-2022-42252.patch
- + debian/patches/CVE-2022-45143.patch
- + debian/patches/CVE-2023-28708.patch
- debian/patches/series
Changes:
=====================================
debian/changelog
=====================================
@@ -1,3 +1,26 @@
+tomcat9 (9.0.43-2~deb11u6) bullseye-security; urgency=high
+
+ * Team upload.
+ * Fix CVE-2022-42252:
+ Apache Tomcat was configured to ignore invalid HTTP headers via setting
+ rejectIllegalHeader to false. Tomcat did not reject a request containing an
+ invalid Content-Length header making a request smuggling attack possible if
+ Tomcat was located behind a reverse proxy that also failed to reject the
+ request with the invalid header.
+ * Fix CVE-2022-45143:
+ The JsonErrorReportValve in Apache Tomcat did not escape the type, message
+ or description values. In some circumstances these are constructed from
+ user provided data and it was therefore possible for users to supply values
+ that invalidated or manipulated the JSON output.
+ * Fix CVE-2023-28708:
+ When using the RemoteIpFilter with requests received from a reverse proxy
+ via HTTP that include the X-Forwarded-Proto header set to https, session
+ cookies created by Apache Tomcat did not include the secure attribute. This
+ could result in the user agent transmitting the session cookie over an
+ insecure channel. (Closes: #1033475)
+
+ -- Markus Koschany <apo at debian.org> Wed, 05 Apr 2023 17:47:16 +0200
+
tomcat9 (9.0.43-2~deb11u5) bullseye; urgency=medium
* Team upload.
=====================================
debian/patches/CVE-2022-42252.patch
=====================================
@@ -0,0 +1,137 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 5 Apr 2023 08:14:54 +0200
+Subject: CVE-2022-42252
+
+Origin: https://github.com/apache/tomcat/commit/4c7f4fd09d2cc1692112ef70b8ee23a7a037ae77
+---
+ .../apache/coyote/http11/Http11InputBuffer.java | 42 +++++++++++++++-------
+ .../coyote/http11/TestHttp11InputBuffer.java | 31 ++++++++++++++++
+ 2 files changed, 60 insertions(+), 13 deletions(-)
+
+diff --git a/java/org/apache/coyote/http11/Http11InputBuffer.java b/java/org/apache/coyote/http11/Http11InputBuffer.java
+index 483b08e..2f7b350 100644
+--- a/java/org/apache/coyote/http11/Http11InputBuffer.java
++++ b/java/org/apache/coyote/http11/Http11InputBuffer.java
+@@ -886,7 +886,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
+ headerData.lastSignificantChar = pos;
+ byteBuffer.position(byteBuffer.position() - 1);
+ // skipLine() will handle the error
+- return skipLine();
++ return skipLine(false);
+ }
+
+ // chr is next byte of header name. Convert to lowercase.
+@@ -897,7 +897,7 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
+
+ // Skip the line and ignore the header
+ if (headerParsePos == HeaderParsePosition.HEADER_SKIPLINE) {
+- return skipLine();
++ return skipLine(false);
+ }
+
+ //
+@@ -948,15 +948,11 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
+ } else if (prevChr == Constants.CR && chr == Constants.LF) {
+ eol = true;
+ } else if (prevChr == Constants.CR) {
+- // Invalid value
+- // Delete the header (it will be the most recent one)
+- headers.removeHeader(headers.size() - 1);
+- return skipLine();
++ // Invalid value - also need to delete header
++ return skipLine(true);
+ } else if (chr != Constants.HT && HttpParser.isControl(chr)) {
+- // Invalid value
+- // Delete the header (it will be the most recent one)
+- headers.removeHeader(headers.size() - 1);
+- return skipLine();
++ // Invalid value - also need to delete header
++ return skipLine(true);
+ } else if (chr == Constants.SP || chr == Constants.HT) {
+ byteBuffer.put(headerData.realPos, chr);
+ headerData.realPos++;
+@@ -1004,7 +1000,27 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
+ }
+
+
+- private HeaderParseStatus skipLine() throws IOException {
++ private HeaderParseStatus skipLine(boolean deleteHeader) throws IOException {
++ boolean rejectThisHeader = rejectIllegalHeader;
++ // Check if rejectIllegalHeader is disabled and needs to be overridden
++ // for this header. The header name is required to determine if this
++ // override is required. The header name is only available once the
++ // header has been created. If the header has been created then
++ // deleteHeader will be true.
++ if (!rejectThisHeader && deleteHeader) {
++ if (headers.getName(headers.size() - 1).equalsIgnoreCase("content-length")) {
++ // Malformed content-length headers must always be rejected
++ // RFC 9112, section 6.3, bullet 5.
++ rejectThisHeader = true;
++ } else {
++ // Only need to delete the header if the request isn't going to
++ // be rejected (it will be the most recent one)
++ headers.removeHeader(headers.size() - 1);
++ }
++ }
++
++ // Parse the rest of the invalid header so we can construct a useful
++ // exception and/or debug message.
+ headerParsePos = HeaderParsePosition.HEADER_SKIPLINE;
+ boolean eol = false;
+
+@@ -1029,11 +1045,11 @@ public class Http11InputBuffer implements InputBuffer, ApplicationBufferHandler
+ headerData.lastSignificantChar = pos;
+ }
+ }
+- if (rejectIllegalHeader || log.isDebugEnabled()) {
++ if (rejectThisHeader || log.isDebugEnabled()) {
+ String message = sm.getString("iib.invalidheader",
+ HeaderUtil.toPrintableString(byteBuffer.array(), headerData.lineStart,
+ headerData.lastSignificantChar - headerData.lineStart + 1));
+- if (rejectIllegalHeader) {
++ if (rejectThisHeader) {
+ throw new IllegalArgumentException(message);
+ }
+ log.debug(message);
+diff --git a/test/org/apache/coyote/http11/TestHttp11InputBuffer.java b/test/org/apache/coyote/http11/TestHttp11InputBuffer.java
+index 94b9a17..6edccc0 100644
+--- a/test/org/apache/coyote/http11/TestHttp11InputBuffer.java
++++ b/test/org/apache/coyote/http11/TestHttp11InputBuffer.java
+@@ -724,6 +724,37 @@ public class TestHttp11InputBuffer extends TomcatBaseTest {
+ }
+
+
++ @Test
++ public void testInvalidContentLength01() {
++ doTestInvalidContentLength(false);
++ }
++
++
++ @Test
++ public void testInvalidContentLength02() {
++ doTestInvalidContentLength(true);
++ }
++
++
++ private void doTestInvalidContentLength(boolean rejectIllegalHeader) {
++ getTomcatInstance().getConnector().setProperty("rejectIllegalHeader", Boolean.toString(rejectIllegalHeader));
++
++ String[] request = new String[1];
++ request[0] =
++ "POST /test HTTP/1.1" + CRLF +
++ "Host: localhost:8080" + CRLF +
++ "Content-Length: 12\u000734" + CRLF +
++ "Connection: close" + CRLF +
++ CRLF;
++
++ InvalidClient client = new InvalidClient(request);
++
++ client.doRequest();
++ Assert.assertTrue(client.getResponseLine(), client.isResponse400());
++ Assert.assertTrue(client.isResponseBodyOK());
++ }
++
++
+ /**
+ * Invalid request test client.
+ */
=====================================
debian/patches/CVE-2022-45143.patch
=====================================
@@ -0,0 +1,193 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 5 Apr 2023 08:17:31 +0200
+Subject: CVE-2022-45143
+
+Origin: https://github.com/apache/tomcat/commit/b336f4e58893ea35114f1e4a415657f723b1298e
+---
+ .../catalina/valves/JsonErrorReportValve.java | 7 +-
+ java/org/apache/tomcat/util/json/JSONFilter.java | 61 ++++++++++++++++
+ .../apache/tomcat/util/json/TestJSONFilter.java | 82 ++++++++++++++++++++++
+ 3 files changed, 147 insertions(+), 3 deletions(-)
+ create mode 100644 java/org/apache/tomcat/util/json/JSONFilter.java
+ create mode 100644 test/org/apache/tomcat/util/json/TestJSONFilter.java
+
+diff --git a/java/org/apache/catalina/valves/JsonErrorReportValve.java b/java/org/apache/catalina/valves/JsonErrorReportValve.java
+index bde4c57..dfd3a1c 100644
+--- a/java/org/apache/catalina/valves/JsonErrorReportValve.java
++++ b/java/org/apache/catalina/valves/JsonErrorReportValve.java
+@@ -24,6 +24,7 @@ import org.apache.catalina.connector.Request;
+ import org.apache.catalina.connector.Response;
+ import org.apache.coyote.ActionCode;
+ import org.apache.tomcat.util.ExceptionUtils;
++import org.apache.tomcat.util.json.JSONFilter;
+ import org.apache.tomcat.util.res.StringManager;
+
+ /**
+@@ -82,9 +83,9 @@ public class JsonErrorReportValve extends ErrorReportValve {
+ }
+ }
+ String jsonReport = "{\n" +
+- " \"type\": \"" + type + "\",\n" +
+- " \"message\": \"" + message + "\"\n" +
+- " \"description\": \"" + description + "\"\n" +
++ " \"type\": \"" + JSONFilter.escape(type) + "\",\n" +
++ " \"message\": \"" + JSONFilter.escape(message) + "\",\n" +
++ " \"description\": \"" + JSONFilter.escape(description) + "\"\n" +
+ "}";
+ try {
+ try {
+diff --git a/java/org/apache/tomcat/util/json/JSONFilter.java b/java/org/apache/tomcat/util/json/JSONFilter.java
+new file mode 100644
+index 0000000..cb255dc
+--- /dev/null
++++ b/java/org/apache/tomcat/util/json/JSONFilter.java
+@@ -0,0 +1,61 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.json;
++
++/**
++ * Provides escaping of values so they can be included in a JSON document.
++ * Escaping is based on the definition of JSON found in
++ * <a href="https://www.rfc-editor.org/rfc/rfc8259.html">RFC 8259</a>.
++ */
++public class JSONFilter {
++
++ private JSONFilter() {
++ // Utility class. Hide the default constructor.
++ }
++
++ public static String escape(String input) {
++ /*
++ * While any character MAY be escaped, only U+0000 to U+001F (control
++ * characters), U+0022 (quotation mark) and U+005C (reverse solidus)
++ * MUST be escaped.
++ */
++ char[] chars = input.toCharArray();
++ StringBuffer escaped = null;
++ int lastUnescapedStart = 0;
++ for (int i = 0; i < chars.length; i++) {
++ if (chars[i] < 0x20 || chars[i] == 0x22 || chars[i] == 0x5c) {
++ if (escaped == null) {
++ escaped = new StringBuffer(chars.length + 20);
++ }
++ if (lastUnescapedStart < i) {
++ escaped.append(input.subSequence(lastUnescapedStart, i));
++ }
++ lastUnescapedStart = i + 1;
++ escaped.append("\\u");
++ escaped.append(String.format("%04X", Integer.valueOf(chars[i])));
++ }
++ }
++ if (escaped == null) {
++ return input;
++ } else {
++ if (lastUnescapedStart < chars.length) {
++ escaped.append(input.subSequence(lastUnescapedStart, chars.length));
++ }
++ return escaped.toString();
++ }
++ }
++}
+diff --git a/test/org/apache/tomcat/util/json/TestJSONFilter.java b/test/org/apache/tomcat/util/json/TestJSONFilter.java
+new file mode 100644
+index 0000000..0e06433
+--- /dev/null
++++ b/test/org/apache/tomcat/util/json/TestJSONFilter.java
+@@ -0,0 +1,82 @@
++/*
++ * Licensed to the Apache Software Foundation (ASF) under one or more
++ * contributor license agreements. See the NOTICE file distributed with
++ * this work for additional information regarding copyright ownership.
++ * The ASF licenses this file to You under the Apache License, Version 2.0
++ * (the "License"); you may not use this file except in compliance with
++ * the License. You may obtain a copy of the License at
++ *
++ * http://www.apache.org/licenses/LICENSE-2.0
++ *
++ * Unless required by applicable law or agreed to in writing, software
++ * distributed under the License is distributed on an "AS IS" BASIS,
++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
++ * See the License for the specific language governing permissions and
++ * limitations under the License.
++ */
++package org.apache.tomcat.util.json;
++
++import java.util.ArrayList;
++import java.util.Collection;
++
++import org.junit.Assert;
++import org.junit.Test;
++import org.junit.runner.RunWith;
++import org.junit.runners.Parameterized;
++import org.junit.runners.Parameterized.Parameter;
++
++
++ at RunWith(Parameterized.class)
++public class TestJSONFilter {
++
++ @Parameterized.Parameters(name = "{index}: input[{0}], output[{1}]")
++ public static Collection<Object[]> parameters() {
++ Collection<Object[]> parameterSets = new ArrayList<>();
++
++ // Empty
++ parameterSets.add(new String[] { "", "" });
++
++ // Must escape
++ parameterSets.add(new String[] { "\"", "\\u0022" });
++ parameterSets.add(new String[] { "\\", "\\u005C" });
++ // Sample of controls
++ parameterSets.add(new String[] { "\t", "\\u0009" });
++ parameterSets.add(new String[] { "\n", "\\u000A" });
++ parameterSets.add(new String[] { "\r", "\\u000D" });
++
++ // No escape
++ parameterSets.add(new String[] { "aaa", "aaa" });
++
++ // Start
++ parameterSets.add(new String[] { "\naaa", "\\u000Aaaa" });
++ parameterSets.add(new String[] { "\n\naaa", "\\u000A\\u000Aaaa" });
++
++ // Middle
++ parameterSets.add(new String[] { "aaa\naaa", "aaa\\u000Aaaa" });
++ parameterSets.add(new String[] { "aaa\n\naaa", "aaa\\u000A\\u000Aaaa" });
++
++ // End
++ parameterSets.add(new String[] { "aaa\n", "aaa\\u000A" });
++ parameterSets.add(new String[] { "aaa\n\n", "aaa\\u000A\\u000A" });
++
++ // Start, middle and end
++ parameterSets.add(new String[] { "\naaa\naaa\n", "\\u000Aaaa\\u000Aaaa\\u000A" });
++ parameterSets.add(new String[] { "\n\naaa\n\naaa\n\n", "\\u000A\\u000Aaaa\\u000A\\u000Aaaa\\u000A\\u000A" });
++
++ // Multiple
++ parameterSets.add(new String[] { "\n\n", "\\u000A\\u000A" });
++
++ return parameterSets;
++ }
++
++ @Parameter(0)
++ public String input;
++
++ @Parameter(1)
++ public String output;
++
++ @Test
++ public void testStringEscaping() {
++ Assert.assertEquals(output, JSONFilter.escape(input));;
++ }
++}
=====================================
debian/patches/CVE-2023-28708.patch
=====================================
@@ -0,0 +1,208 @@
+From: Markus Koschany <apo at debian.org>
+Date: Wed, 5 Apr 2023 08:22:08 +0200
+Subject: CVE-2023-28708
+
+Bug-Debian: https://bugs.debian.org/1033475
+Origin: https://github.com/apache/tomcat/commit/3b51230764da595bb19e8d0962dd8c69ab40dfab
+---
+ java/org/apache/catalina/Globals.java | 7 ++
+ java/org/apache/catalina/connector/Request.java | 14 ++++
+ .../apache/catalina/filters/RemoteIpFilter.java | 7 +-
+ .../catalina/filters/TestRemoteIpFilter.java | 96 ++++++++++++++++------
+ 4 files changed, 95 insertions(+), 29 deletions(-)
+
+diff --git a/java/org/apache/catalina/Globals.java b/java/org/apache/catalina/Globals.java
+index 52a9f96..24774b5 100644
+--- a/java/org/apache/catalina/Globals.java
++++ b/java/org/apache/catalina/Globals.java
+@@ -112,6 +112,13 @@ public final class Globals {
+ public static final String SENDFILE_SUPPORTED_ATTR = org.apache.coyote.Constants.SENDFILE_SUPPORTED_ATTR;
+
+
++ /**
++ * The request attribute that is set to the value of {@code Boolean.TRUE}
++ * if {@link org.apache.catalina.filters.RemoteIpFilter} determines
++ * that this request was submitted via a secure channel.
++ */
++ public static final String REMOTE_IP_FILTER_SECURE = "org.apache.catalina.filters.RemoteIpFilter.secure";
++
+ /**
+ * The request attribute that can be used by a servlet to pass
+ * to the connector the name of the file that is to be served
+diff --git a/java/org/apache/catalina/connector/Request.java b/java/org/apache/catalina/connector/Request.java
+index 3172a19..e9869bc 100644
+--- a/java/org/apache/catalina/connector/Request.java
++++ b/java/org/apache/catalina/connector/Request.java
+@@ -3593,6 +3593,20 @@ public class Request implements HttpServletRequest {
+ // NO-OP
+ }
+ });
++ specialAttributes.put(Globals.REMOTE_IP_FILTER_SECURE,
++ new SpecialAttributeAdapter() {
++ @Override
++ public Object get(Request request, String name) {
++ return Boolean.valueOf(request.isSecure());
++ }
++
++ @Override
++ public void set(Request request, String name, Object value) {
++ if (value instanceof Boolean) {
++ request.setSecure(((Boolean) value).booleanValue());
++ }
++ }
++ });
+ specialAttributes.put(Globals.STREAM_ID,
+ new SpecialAttributeAdapter() {
+ @Override
+diff --git a/java/org/apache/catalina/filters/RemoteIpFilter.java b/java/org/apache/catalina/filters/RemoteIpFilter.java
+index 72ea1e2..bb8e71b 100644
+--- a/java/org/apache/catalina/filters/RemoteIpFilter.java
++++ b/java/org/apache/catalina/filters/RemoteIpFilter.java
+@@ -581,11 +581,6 @@ public class RemoteIpFilter extends GenericFilter {
+ return serverPort;
+ }
+
+- @Override
+- public boolean isSecure() {
+- return secure;
+- }
+-
+ public void removeHeader(String name) {
+ Map.Entry<String, List<String>> header = getHeaderEntry(name);
+ if (header != null) {
+@@ -625,7 +620,7 @@ public class RemoteIpFilter extends GenericFilter {
+ }
+
+ public void setSecure(boolean secure) {
+- this.secure = secure;
++ super.getRequest().setAttribute(Globals.REMOTE_IP_FILTER_SECURE, Boolean.valueOf(secure));
+ }
+
+ public void setServerName(String serverName) {
+diff --git a/test/org/apache/catalina/filters/TestRemoteIpFilter.java b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+index 88e8f6b..2ba68ba 100644
+--- a/test/org/apache/catalina/filters/TestRemoteIpFilter.java
++++ b/test/org/apache/catalina/filters/TestRemoteIpFilter.java
+@@ -82,15 +82,21 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
+
+ private static final long serialVersionUID = 1L;
+
+- private transient HttpServletRequest request;
+-
+- public HttpServletRequest getRequest() {
+- return request;
+- }
++ public String remoteAddr;
++ public String remoteHost;
++ public String scheme;
++ public String serverName;
++ public int serverPort;
++ public boolean isSecure;
+
+ @Override
+ public void service(HttpServletRequest request, HttpServletResponse response) throws ServletException, IOException {
+- this.request = request;
++ this.isSecure = request.isSecure();
++ this.remoteAddr = request.getRemoteAddr();
++ this.remoteHost = request.getRemoteHost();
++ this.scheme = request.getScheme();
++ this.serverName = request.getServerName();
++ this.serverPort = request.getServerPort();
+ PrintWriter writer = response.getWriter();
+
+ writer.println("request.remoteAddr=" + request.getRemoteAddr());
+@@ -129,16 +135,6 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
+ getCoyoteRequest().scheme().setString(scheme);
+ }
+
+- @Override
+- public void setAttribute(String name, Object value) {
+- getCoyoteRequest().getAttributes().put(name, value);
+- }
+-
+- @Override
+- public Object getAttribute(String name) {
+- return getCoyoteRequest().getAttributes().get(name);
+- }
+-
+ @Override
+ public String getServerName() {
+ return "localhost";
+@@ -770,16 +766,70 @@ public class TestRemoteIpFilter extends TomcatBaseTest {
+
+ // VALIDATE
+ Assert.assertEquals(HttpURLConnection.HTTP_OK, httpURLConnection.getResponseCode());
+- HttpServletRequest request = mockServlet.getRequest();
+- Assert.assertNotNull(request);
+
+ // VALIDATE X-FORWARDED-FOR
+- Assert.assertEquals(expectedRemoteAddr, request.getRemoteAddr());
+- Assert.assertEquals(expectedRemoteAddr, request.getRemoteHost());
++ Assert.assertEquals(expectedRemoteAddr, mockServlet.remoteAddr);
++ Assert.assertEquals(expectedRemoteAddr, mockServlet.remoteHost);
+
+ // VALIDATE X-FORWARDED-PROTO
+- Assert.assertTrue(request.isSecure());
+- Assert.assertEquals("https", request.getScheme());
+- Assert.assertEquals(443, request.getServerPort());
++ Assert.assertTrue(mockServlet.isSecure);
++ Assert.assertEquals("https", mockServlet.scheme);
++ Assert.assertEquals(443, mockServlet.serverPort);
++ }
++
++ @Test
++ public void testJSessionIdSecureAttributeMissing() throws Exception {
++
++ // mostly default configuration : enable "x-forwarded-proto"
++ Map<String, String> remoteIpFilterParameter = new HashMap<>();
++ remoteIpFilterParameter.put("protocolHeader", "x-forwarded-proto");
++
++ // SETUP
++ Tomcat tomcat = getTomcatInstance();
++ Context root = tomcat.addContext("", TEMP_DIR);
++
++ FilterDef filterDef = new FilterDef();
++ filterDef.getParameterMap().putAll(remoteIpFilterParameter);
++ filterDef.setFilterClass(RemoteIpFilter.class.getName());
++ filterDef.setFilterName(RemoteIpFilter.class.getName());
++
++ root.addFilterDef(filterDef);
++
++ FilterMap filterMap = new FilterMap();
++ filterMap.setFilterName(RemoteIpFilter.class.getName());
++ filterMap.addURLPatternDecoded("*");
++ root.addFilterMap(filterMap);
++
++ Bug66471Servlet bug66471Servlet = new Bug66471Servlet();
++
++ Tomcat.addServlet(root, bug66471Servlet.getClass().getName(), bug66471Servlet);
++ root.addServletMappingDecoded("/test", bug66471Servlet.getClass().getName());
++
++ getTomcatInstance().start();
++
++ Map<String, List<String>> resHeaders = new HashMap<>();
++ Map<String, List<String>> reqHeaders = new HashMap<>();
++ String expectedRemoteAddr = "my-remote-addr";
++ List<String> forwardedFor = new ArrayList<>(1);
++ forwardedFor.add(expectedRemoteAddr);
++ List<String> forwardedProto = new ArrayList<>(1);
++ forwardedProto.add("https");
++ reqHeaders.put("x-forwarded-for", forwardedFor);
++ reqHeaders.put("x-forwarded-proto", forwardedProto);
++
++ getUrl("http://localhost:" + tomcat.getConnector().getLocalPort() +
++ "/test", null, reqHeaders, resHeaders);
++ String setCookie = resHeaders.get("Set-Cookie").get(0);
++ Assert.assertTrue(setCookie.contains("Secure"));
++ Assert.assertTrue(bug66471Servlet.isSecure.booleanValue());
++ }
++ public static class Bug66471Servlet extends HttpServlet {
++ private static final long serialVersionUID = 1L;
++ public Boolean isSecure;
++ @Override
++ protected void doGet(HttpServletRequest req, HttpServletResponse resp) throws ServletException, IOException {
++ req.getSession();
++ isSecure = (Boolean) req.getAttribute(Globals.REMOTE_IP_FILTER_SECURE);
++ }
+ }
+ }
=====================================
debian/patches/series
=====================================
@@ -18,3 +18,6 @@ CVE-2021-42340.patch
CVE-2022-23181.patch
CVE-2022-29885.patch
CVE-2021-43980.patch
+CVE-2022-42252.patch
+CVE-2022-45143.patch
+CVE-2023-28708.patch
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/ea95fb2b0aeec1610b476dec741846da9ef0c164...ba9ffe0d2f0f8f9c6160a3526e50d1a84a96bc78
--
View it on GitLab: https://salsa.debian.org/java-team/tomcat9/-/compare/ea95fb2b0aeec1610b476dec741846da9ef0c164...ba9ffe0d2f0f8f9c6160a3526e50d1a84a96bc78
You're receiving this email because of your account on salsa.debian.org.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/pkg-java-commits/attachments/20230405/0951872a/attachment.htm>
More information about the pkg-java-commits
mailing list