[jboss-cvs] Repository SVN: r27649 - in apache-tomcat: 5.0.30.patch07-brew and 2 other directories.
jboss-cvs-commits at lists.jboss.org
jboss-cvs-commits at lists.jboss.org
Tue Jul 7 18:33:39 EDT 2009
Author: dknox at redhat.com
Date: 2009-07-07 18:33:37 -0400 (Tue, 07 Jul 2009)
New Revision: 27649
Added:
apache-tomcat/5.0.30.patch07-brew/
apache-tomcat/5.0.30.patch07-brew/component-info.xml
apache-tomcat/5.0.30.patch07-brew/lib/
apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
apache-tomcat/5.0.30.patch07-brew/src/
apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch
apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch
Log:
Commiting tomcat5-5_0_30-0jpp_15rh CVE-2009-0033 CVE-2009-0783. CVE-2008-0781 not applied. CVE-2008-5515 not applied.
Added: apache-tomcat/5.0.30.patch07-brew/component-info.xml
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/component-info.xml (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/component-info.xml 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,54 @@
+<project name="apache-tomcat-component-info">
+
+ <component id="apache-tomcat"
+ licenseType="apache-2.0"
+ version="5.0.30.patch07-brew"
+ projectHome="http://jakarta.apache.org/tomcat/index.html"
+ description="Tomcat 5.0 servlet 2.4 web container+patches(JBAS-2775,CVE-2005-3510, CVE-2006-3835, CVE-2005-2090, CVE-2006-7195, CVE-2006-7196, CVE-2007-0450, CVE-2007-1858) and also patches for CVE-2007-3382, CVE-2007-3385 and CVE-2007-2450 and a fix for CVE-2007-5461, and also CVE-2007-1358, 2008-0128, CVE-2007-2449, CVE-2007-1355, CVE-2005-4838, plus CVE-2008-1232, CVE-2008-2370, and CVE-2008-2938, CVE-2008-3271, CVS-2007-5333">
+ <!-- cvsroot=":ext:cvs.devel.redhat.com:/cvs/dist/tomcat5"
+ tag="tomcat5-5_0_30-0jpp_15rh"
+ -->
+ <artifact id="catalina-manager.jar"/>
+ <artifact id="catalina-optional.jar"/>
+ <artifact id="catalina.jar"/>
+ <artifact id="jasper-compiler.jar"/>
+ <artifact id="jasper-runtime.jar"/>
+ <artifact id="naming-resources.jar"/>
+ <artifact id="servlets-default.jar"/>
+ <artifact id="servlets-invoker.jar"/>
+ <artifact id="servlets-webdav.jar"/>
+ <artifact id="servlets-common.jar"/>
+ <artifact id="servlet-api.jar"/>
+ <artifact id="tomcat-coyote.jar"/>
+ <artifact id="tomcat-http11.jar"/>
+ <artifact id="tomcat-util.jar"/>
+ <artifact id="tomcat-jk2.jar"/>
+ <artifact id="naming-common.jar"/>
+ <artifact id="jsp-api.jar"/>
+ <import componentref="apache-modeler">
+ <compatible version="1.1patch"/>
+ </import>
+ <import componentref="commons-el">
+ <compatible version="1.0"/>
+ </import>
+ <export>
+ <include input="catalina-manager.jar"/>
+ <include input="catalina-optional.jar"/>
+ <include input="catalina.jar"/>
+ <include input="jasper-compiler.jar"/>
+ <include input="jasper-runtime.jar"/>
+ <include input="naming-resources.jar"/>
+ <include input="servlets-default.jar"/>
+ <include input="servlets-invoker.jar"/>
+ <include input="servlets-webdav.jar"/>
+ <include input="servlets-common.jar"/>
+ <include input="servlet-api.jar"/>
+ <include input="tomcat-coyote.jar"/>
+ <include input="tomcat-http11.jar"/>
+ <include input="tomcat-util.jar"/>
+ <include input="tomcat-jk2.jar"/>
+ <include input="naming-common.jar"/>
+ <include input="jsp-api.jar"/>
+ </export>
+ </component>
+</project>
Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
===================================================================
(Binary files differ)
Property changes on: apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
___________________________________________________________________
Name: svn:mime-type
+ application/octet-stream
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,39 @@
+--- jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Request.java (revision 531784)
++++ jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Request.java (working copy)
+@@ -309,7 +309,7 @@
+ public long getContentLengthLong() {
+ if( contentLength > -1 ) return contentLength;
+
+- MessageBytes clB = headers.getValue("content-length");
++ MessageBytes clB = headers.getUniqueValue("content-length");
+ contentLength = (clB == null || clB.isNull()) ? -1 : clB.getLong();
+
+ return contentLength;
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/MimeHeaders.java (revision 531784)
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/MimeHeaders.java (working copy)
+@@ -286,6 +286,25 @@
+ return null;
+ }
+
++ /**
++ * Finds and returns a unique header field with the given name. If no such
++ * field exists, null is returned. If the specified header field is not
++ * unique then an {@link IllegalArgumentException} is thrown.
++ */
++ public MessageBytes getUniqueValue(String name) {
++ MessageBytes result = null;
++ for (int i = 0; i < count; i++) {
++ if (headers[i].getName().equalsIgnoreCase(name)) {
++ if (result == null) {
++ result = headers[i].getValue();
++ } else {
++ throw new IllegalArgumentException();
++ }
++ }
++ }
++ return result;
++ }
++
+ // bad shortcut - it'll convert to string ( too early probably,
+ // encoding is guessed very late )
+ public String getHeader(String name) {
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,34 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java 2005/11/09 19:43:12 332126
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java 2005/11/09 19:50:47 332127
+@@ -98,7 +98,7 @@
+ /**
+ * Should we generate directory listings?
+ */
+- protected boolean listings = true;
++ protected boolean listings = false;
+
+
+ /**
+--- jakarta-tomcat-catalina/catalina/src/conf/web.xml.orig 2004-11-24 11:55:06.000000000 -0500
++++ jakarta-tomcat-catalina/catalina/src/conf/web.xml 2007-04-27 16:58:02.000000000 -0400
+@@ -31,7 +31,10 @@
+ <!-- resources to be served. [2048] -->
+ <!-- -->
+ <!-- listings Should directory listings be produced if there -->
+- <!-- is no welcome file in this directory? [true] -->
++ <!-- is no welcome file in this directory? [false] -->
++ <!-- WARNING: Listings for directories with many -->
++ <!-- entries can be slow and may consume -->
++ <!-- significant proportions of server resources. -->
+ <!-- -->
+ <!-- output Output buffer size (in bytes) when writing -->
+ <!-- resources to be served. [2048] -->
+@@ -68,7 +71,7 @@
+ </init-param>
+ <init-param>
+ <param-name>listings</param-name>
+- <param-value>true</param-value>
++ <param-value>false</param-value>
+ </init-param>
+ <load-on-startup>1</load-on-startup>
+ </servlet>
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,49 @@
+--- jakarta-tomcat-catalina/webapps/docs/appdev/sample/src/mypackage/Hello.java.orig 2004-11-24 11:55:36.000000000 -0500
++++ jakarta-tomcat-catalina/webapps/docs/appdev/sample/src/mypackage/Hello.java 2007-04-27 14:29:32.000000000 -0400
+@@ -68,24 +68,11 @@
+ writer.println("<td>");
+ writer.println("<h1>Sample Application Servlet</h1>");
+ writer.println("This is the output of a servlet that is part of");
+- writer.println("the Hello, World application. It displays the");
+- writer.println("request headers from the request we are currently");
+- writer.println("processing.");
++ writer.println("the Hello, World application.");
+ writer.println("</td>");
+ writer.println("</tr>");
+ writer.println("</table>");
+
+- writer.println("<table border=\"0\" width=\"100%\">");
+- Enumeration names = request.getHeaderNames();
+- while (names.hasMoreElements()) {
+- String name = (String) names.nextElement();
+- writer.println("<tr>");
+- writer.println(" <th align=\"right\">" + name + ":</th>");
+- writer.println(" <td>" + request.getHeader(name) + "</td>");
+- writer.println("</tr>");
+- }
+- writer.println("</table>");
+-
+ writer.println("</body>");
+ writer.println("</html>");
+
+--- jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp.orig 2004-11-24 11:54:58.000000000 -0500
++++ jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp 2007-04-27 14:29:32.000000000 -0400
+@@ -69,15 +69,15 @@
+ </tr>
+ <tr>
+ <td>\${header["host"]}</td>
+- <td>${header["host"]}</td>
++ <td>${fn:escapeXml(header["host"])} </td>
+ </tr>
+ <tr>
+ <td>\${header["accept"]}</td>
+- <td>${header["accept"]}</td>
++ <td>${fn:escapeXml(header["accept"])} </td>
+ </tr>
+ <tr>
+ <td>\${header["user-agent"]}</td>
+- <td>${header["user-agent"]}</td>
++ <td>${fn:escapeXml(header["user-agent"])} </td>
+ </tr>
+ </table>
+ </code>
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,17 @@
+--- jakarta-servletapi-5/jsr152/examples/cal/cal2.jsp (revision 267240)
++++ jakarta-servletapi-5/jsr152/examples/cal/cal2.jsp (revision 369933)
+@@ -29,12 +29,12 @@
+
+ <FONT SIZE=5> Please add the following event:
+ <BR> <h3> Date <%= table.getDate() %>
+-<BR> Time <%= time %> </h3>
++<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
+ </FONT>
+ <FORM METHOD=POST ACTION=cal1.jsp>
+ <BR>
+ <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
+-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
++<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
+ <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2>
+ <BR> <INPUT TYPE=SUBMIT VALUE="submit">
+ </FORM>
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,89 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/buf/UDecoder.java.orig 2004-11-24 11:55:55.000000000 -0500
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/buf/UDecoder.java 2007-04-27 14:30:13.000000000 -0400
+@@ -29,6 +29,9 @@
+ */
+ public final class UDecoder {
+
++ protected static final boolean ALLOW_ENCODED_SLASH =
++ Boolean.valueOf(System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "false")).booleanValue();
++
+ public UDecoder()
+ {
+ }
+@@ -62,6 +65,8 @@
+ // idx will be the smallest positive inxes ( first % or + )
+ if( idx2 >= 0 && idx2 < idx ) idx=idx2;
+ if( idx < 0 ) idx=idx2;
++
++ boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+
+ for( int j=idx; j<end; j++, idx++ ) {
+ if( buff[ j ] == '+' && query) {
+@@ -80,6 +85,9 @@
+
+ j+=2;
+ int res=x2c( b1, b2 );
++ if (noSlash && (res == '/')) {
++ throw new CharConversionException( "noSlash");
++ }
+ buff[idx]=(byte)res;
+ }
+ }
+@@ -121,7 +129,8 @@
+
+ if( idx2 >= 0 && idx2 < idx ) idx=idx2;
+ if( idx < 0 ) idx=idx2;
+-
++
++ boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+ for( int j=idx; j<cend; j++, idx++ ) {
+ if( buff[ j ] == '+' && query ) {
+ buff[idx]=( ' ' );
+@@ -140,6 +149,9 @@
+
+ j+=2;
+ int res=x2c( b1, b2 );
++ if (noSlash && (res == '/')) {
++ throw new CharConversionException( "noSlash");
++ }
+ buff[idx]=(char)res;
+ }
+ }
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java.orig 2004-11-24 11:55:18.000000000 -0500
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java 2007-04-27 14:30:13.000000000 -0400
+@@ -54,6 +54,8 @@
+ {
+ private static Log log = LogFactory.getLog(CoyoteAdapter.class);
+
++ protected static final boolean ALLOW_BACKSLASH =
++ Boolean.valueOf(System.getProperty("org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH", "false")).booleanValue();
+ // -------------------------------------------------------------- Constants
+
+
+@@ -232,8 +234,8 @@
+ req.getURLDecoder().convert(decodedURI, false);
+ } catch (IOException ioe) {
+ res.setStatus(400);
+- res.setMessage("Invalid URI");
+- throw ioe;
++ res.setMessage("Invalid URI: " + ioe.getMessage());
++ return false;
+ }
+ // Normalization
+ if (!normalize(req.decodedURI())) {
+@@ -473,8 +475,13 @@
+ // Replace '\' with '/'
+ // Check for null byte
+ for (pos = start; pos < end; pos++) {
+- if (b[pos] == (byte) '\\')
+- b[pos] = (byte) '/';
++ if (b[pos] == (byte) '\\') {
++ if (ALLOW_BACKSLASH) {
++ b[pos] = (byte) '/';
++ } else {
++ return false;
++ }
++ }
+ if (b[pos] == (byte) 0)
+ return false;
+ }
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,27 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2004-11-24 17:55:18.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2008-04-04 15:35:26.000000000 +0200
+@@ -2539,6 +2539,9 @@
+ variant = "";
+ }
+ }
++ if (!isAlpha(language) || !isAlpha(country) || !isAlpha(variant)) {
++ continue;
++ }
+
+ // Add a new Locale to the list of Locales for this quality level
+ Locale locale = new Locale(language, country, variant);
+@@ -2604,4 +2607,14 @@
+
+ }
+
++ protected static final boolean isAlpha(String value) {
++ for (int i = 0; i < value.length(); i++) {
++ char c = value.charAt(i);
++ if (!((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z'))) {
++ return false;
++ }
++ }
++ return true;
++ }
++
+ }
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,13 @@
+Index: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+===================================================================
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (revision 531485)
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java (working copy)
+@@ -187,6 +187,8 @@
+ enabledCiphers = new String[vec.size()];
+ vec.copyInto(enabledCiphers);
+ }
++ } else {
++ enabledCiphers = sslProxy.getDefaultCipherSuites();
+ }
+
+ return enabledCiphers;
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,42 @@
+--- jakarta-tomcat-catalina/webapps/docs/build.xml 2008-04-04 13:28:58.000000000 -0400
++++ jakarta-tomcat-catalina/webapps/docs/build.xml 2008-04-07 12:14:25.000000000 -0400
+@@ -43,11 +43,13 @@
+ <copy todir="${webapps.build}/${webapp.name}/appdev">
+ <fileset dir="appdev" includes="*.txt"/>
+ </copy>
++<!--
+ <copy todir="${webapps.build}/${webapp.name}/appdev/sample">
+ <fileset dir="appdev/sample"/>
+ </copy>
+ <copy tofile="${webapps.build}/${webapp.name}/appdev/sample/build.xml"
+ file="appdev/build.xml.txt"/>
++-->
+
+ <!-- Catalina Functional Specifications -->
+ <mkdir dir="${webapps.build}/${webapp.name}/catalina/funcspecs"/>
+--- jakarta-tomcat-5/build.xml 2008-04-04 12:26:53.000000000 -0400
++++ jakarta-tomcat-5/build.xml 2008-04-04 15:53:22.000000000 -0400
+@@ -300,6 +300,7 @@
+ <classpath refid="jspc.classpath"/>
+ </taskdef>
+
++<!--
+ <jasper2
+ compile="false"
+ validateXml="false"
+@@ -324,6 +325,7 @@
+ webXmlFragment="${admin.base}/WEB-INF/generated_web.xml"
+ addWebXmlMappings="true"
+ outputDir="${admin.base}/WEB-INF/src/admin" />
++-->
+
+ <javac destdir="${ROOT.base}/WEB-INF/classes"
+ optimize="off"
+@@ -350,6 +352,7 @@
+ </fileset>
+ </copy>
+
++ <mkdir dir="${jsp-examples.base}/WEB-INF/classes"/>
+ <javac destdir="${jsp-examples.base}/WEB-INF/classes"
+ optimize="off"
+ debug="on" failonerror="false"
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,23 @@
+--- jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java 2007-09-05 09:41:50.000000000 +0200
++++ jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java 2007-09-05 09:42:16.000000000 +0200
+@@ -33,6 +33,7 @@
+ import javax.servlet.http.HttpServletResponse;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Host;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.commons.fileupload.FileItem;
+ import org.apache.commons.fileupload.DiskFileUpload;
+@@ -304,7 +305,11 @@
+ // Message Section
+ args = new Object[3];
+ args[0] = sm.getString("htmlManagerServlet.messageLabel");
+- args[1] = (message == null || message.length() == 0) ? "OK" : message;
++ if (message == null || message.length() == 0) {
++ args[1] = "OK";
++ } else {
++ args[1] = RequestUtil.filter(message);
++ }
+ writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
+
+ // Manager Section
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,161 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java 2007/07/25 02:14:15 559282
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java 2007/07/25 02:19:40 559283
+@@ -123,6 +123,7 @@
+ //
+ // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
+ private static final String tspecials = ",;";
++ private static final String tspecials2 = ",; \"";
+
+ /*
+ * Tests a string and returns true if the string counts as a
+@@ -147,6 +148,20 @@
+ return true;
+ }
+
++ public static boolean isToken2(String value) {
++ if( value==null) return true;
++ int len = value.length();
++
++ for (int i = 0; i < len; i++) {
++ char c = value.charAt(i);
++
++ if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
++ return false;
++ }
++ return true;
++ }
++
++
+ public static boolean checkName( String name ) {
+ if (!isToken(name)
+ || name.equalsIgnoreCase("Comment") // rfc2019
+@@ -206,7 +221,7 @@
+ // this part is the same for all cookies
+ buf.append( name );
+ buf.append("=");
+- maybeQuote(version, buf, value);
++ maybeQuote2(version, buf, value);
+
+ // XXX Netscape cookie: "; "
+ // add version 1 specific information
+@@ -276,16 +291,56 @@
+ throw new IllegalArgumentException( value );
+ else {
+ buf.append ('"');
+- buf.append (value);
++ buf.append (escapeDoubleQuotes(value));
+ buf.append ('"');
+ }
+ }
+ }
+
++ public static void maybeQuote2 (int version, StringBuffer buf,
++ String value) {
++ // special case - a \n or \r shouldn't happen in any case
++ if (isToken2(value)) {
++ buf.append(value);
++ } else {
++ buf.append('"');
++ buf.append(escapeDoubleQuotes(value));
++ buf.append('"');
++ }
++ }
++
++
+ // log
+ static final int dbg=1;
+ public static void log(String s ) {
+ System.out.println("ServerCookie: " + s);
++ }
++
++ /**
++ * Escapes any double quotes in the given string.
++ *
++ * @param s the input string
++ *
++ * @return The (possibly) escaped string
++ */
++ private static String escapeDoubleQuotes(String s) {
++
++ if (s == null || s.length() == 0 || s.indexOf('"') == -1) {
++ return s;
++ }
++
++ StringBuffer b = new StringBuffer();
++ char p = s.charAt(0);
++ for (int i = 0; i < s.length(); i++) {
++ char c = s.charAt(i);
++ if (c == '"' && p != '\\')
++ b.append('\\').append('"');
++ else
++ b.append(c);
++ p = c;
++ }
++
++ return b.toString();
+ }
+
+ }
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java 2007-08-24 11:23:52.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java 2007-08-24 11:43:55.000000000 +0200
+@@ -243,9 +243,11 @@
+
+ // quote is valid only in version=1 cookies
+ cc=bytes[pos];
+- if( ( version == 1 || isSpecial ) && ( cc== '\'' || cc=='"' ) ) {
+- startValue++;
+- endValue=indexOf( bytes, startValue, end, cc );
++ if( ( version == 1 || isSpecial ) && ( cc== '"' ) ) {
++ endValue=findDelim3( bytes, startValue+1, end, cc );
++ if (endValue == -1) {
++ endValue = findDelim2(bytes, startValue+1, end);
++ } else startValue++;
+ pos=endValue+1; // to skip to next cookie
+ } else {
+ endValue=findDelim2( bytes, startValue, end );
+@@ -321,28 +323,26 @@
+ return off;
+ }
+
+- public static int indexOf( byte bytes[], int off, int end, byte qq )
++ /*
++ * search for cc but skip \cc as required by rfc2616
++ * (according to rfc2616 cc should be ")
++ */
++ public static int findDelim3( byte bytes[], int off, int end, byte cc )
+ {
+- while( off < end ) {
+- byte b=bytes[off];
+- if( b==qq )
+- return off;
+- off++;
+- }
+- return off;
++ while( off < end ) {
++ byte b=bytes[off];
++ if (b=='\\') {
++ off++;
++ off++;
++ continue;
++ }
++ if( b==cc )
++ return off;
++ off++;
++ }
++ return -1;
+ }
+
+- public static int indexOf( byte bytes[], int off, int end, char qq )
+- {
+- while( off < end ) {
+- byte b=bytes[off];
+- if( b==qq )
+- return off;
+- off++;
+- }
+- return off;
+- }
+-
+ // XXX will be refactored soon!
+ public static boolean equals( String s, byte b[], int start, int end) {
+ int blen = end-start;
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,965 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java 2009-04-21 09:41:12.000000000 +0200
+@@ -2312,6 +2312,22 @@
+ }
+ }
+
++ protected String unescape(String s) {
++ if (s==null) return null;
++ if (s.indexOf('\\') == -1) return s;
++ StringBuffer buf = new StringBuffer();
++ for (int i=0; i<s.length(); i++) {
++ char c = s.charAt(i);
++ if (c!='\\') buf.append(c);
++ else {
++ if (++i >= s.length()) throw new IllegalArgumentException();//invalid escape, hence invalid cookie
++ c = s.charAt(i);
++ buf.append(c);
++ }
++ }
++ return buf.toString();
++ }
++
+ /**
+ * Parse cookies.
+ */
+@@ -2330,14 +2346,18 @@
+ for (int i = 0; i < count; i++) {
+ ServerCookie scookie = serverCookies.getCookie(i);
+ try {
+- Cookie cookie = new Cookie(scookie.getName().toString(),
+- scookie.getValue().toString());
+- cookie.setPath(scookie.getPath().toString());
+- cookie.setVersion(scookie.getVersion());
++ /*
++ we must unescape the '\\' escape character
++ */
++ Cookie cookie = new Cookie(scookie.getName().toString(),null);
++ int version = scookie.getVersion();
++ cookie.setVersion(version);
++ cookie.setValue(unescape(scookie.getValue().toString()));
++ cookie.setPath(unescape(scookie.getPath().toString()));
+ String domain = scookie.getDomain().toString();
+- if (domain != null) {
+- cookie.setDomain(scookie.getDomain().toString());
+- }
++ if (domain!=null) cookie.setDomain(unescape(domain));//avoid NPE
++ String comment = scookie.getComment().toString();
++ cookie.setComment(version==1?unescape(comment):null);
+ cookies[idx++] = cookie;
+ } catch(IllegalArgumentException e) {
+ // Ignore bad cookie
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteResponse.java 2004-11-24 17:55:18.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteResponse.java 2009-04-21 09:41:12.000000000 +0200
+@@ -932,9 +932,9 @@
+ if (included)
+ return;
+
+- cookies.add(cookie);
+-
+ final StringBuffer sb = new StringBuffer();
++ //web application code can receive a IllegalArgumentException
++ //from the appendCookieValue invokation
+ if (SecurityUtil.isPackageProtectionEnabled()) {
+ AccessController.doPrivileged(new PrivilegedAction() {
+ public Object run(){
+@@ -953,11 +953,13 @@
+ cookie.getMaxAge(), cookie.getSecure());
+ }
+
++ // if we reached here, no exception, cookie is valid
+ // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+ // RFC2965 is not supported by browsers and the Servlet spec
+ // asks for 2109.
+ addHeader("Set-Cookie", sb.toString());
+
++ cookies.add(cookie);
+ }
+
+
+--- jakarta-tomcat-catalina/webapps/docs/changelog.xml 2004-11-24 17:55:37.000000000 +0100
++++ jakarta-tomcat-catalina/webapps/docs/changelog.xml 2009-04-21 09:56:50.000000000 +0200
+@@ -79,6 +79,18 @@
+ <fix>
+ <bug>32269</bug>: JNDIRealm fails with InvalidNameException to authenticate users if LDAP distinguished name (DN) contains slash or double quote character(s). (yoavs)
+ </fix>
++ <fix>
++ Cookie handling/parsing changes!
++ The following behavior has been changed with regards to Tomcat's cookie
++ handling:<br/>
++ a) Cookies containing control characters, except 0x09(HT), are rejected
++ using an InvalidArgumentException.<br/>
++ b) If cookies are not quoted, they will be quoted if they contain
++ <code>tspecials(ver0)</code> or <code>tspecials2(ver1)</code>
++ characters.<br/>
++ c) Escape character '\\' is allowed and respected as a escape character,
++ and will be unescaped during parsing.
++ </fix>
+ </changelog>
+ </subsection>
+
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java 2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java 2009-04-20 17:49:17.000000000 +0200
+@@ -41,6 +41,27 @@
+ boolean unprocessed=true;
+
+ MimeHeaders headers;
++
++ /*
++ List of Separator Characters (see isSeparator())
++ Excluding the '/' char violates the RFC, but
++ it looks like a lot of people put '/'
++ in unquoted values: '/': ; //47
++ '\t':9 ' ':32 '\"':34 '\'':39 '(':40 ')':41 ',':44 ':':58 ';':59 '<':60
++ '=':61 '>':62 '?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125
++ */
++ public static final char SEPARATORS[] = { '\t', ' ', '\"', '\'', '(', ')', ',',
++ ':', ';', '<', '=', '>', '?', '@', '[', '\\', ']', '{', '}' };
++
++ protected static final boolean separators[] = new boolean[128];
++ static {
++ for (int i = 0; i < 128; i++) {
++ separators[i] = false;
++ }
++ for (int i = 0; i < SEPARATORS.length; i++) {
++ separators[SEPARATORS[i]] = true;
++ }
++ }
+
+ /**
+ * Construct a new cookie collection, that will extract
+@@ -175,174 +196,6 @@
+ }
+ }
+
+- /** Process a byte[] header - allowing fast processing of the
+- * raw data
+- */
+- void processCookieHeader( byte bytes[], int off, int len )
+- {
+- if( len<=0 || bytes==null ) return;
+- int end=off+len;
+- int pos=off;
+-
+- int version=0; //sticky
+- ServerCookie sc=null;
+-
+-
+- while( pos<end ) {
+- byte cc;
+- // [ skip_spaces name skip_spaces "=" skip_spaces value EXTRA ; ] *
+- if( dbg>0 ) log( "Start: " + pos + " " + end );
+-
+- pos=skipSpaces(bytes, pos, end);
+- if( pos>=end )
+- return; // only spaces
+- int startName=pos;
+- if( dbg>0 ) log( "SN: " + pos );
+-
+- // Version should be the first token
+- boolean isSpecial=false;
+- if(bytes[pos]=='$') { pos++; isSpecial=true; }
+-
+- pos= findDelim1( bytes, startName, end); // " =;,"
+- int endName=pos;
+- // current = "=" or " " or DELIM
+- pos= skipSpaces( bytes, endName, end );
+- if( dbg>0 ) log( "DELIM: " + endName + " " + (char)bytes[pos]);
+-
+- if(pos >= end ) {
+- // it's a name-only cookie ( valid in RFC2109 )
+- if( ! isSpecial ) {
+- sc=addCookie();
+- sc.getName().setBytes( bytes, startName,
+- endName-startName );
+- sc.getValue().setString("");
+- sc.setVersion( version );
+- if( dbg>0 ) log( "Name only, end: " + startName + " " +
+- endName);
+- }
+- return;
+- }
+-
+- cc=bytes[pos];
+- pos++;
+- if( cc==';' || cc==',' ) {
+- if( ! isSpecial && startName!= endName ) {
+- sc=addCookie();
+- sc.getName().setBytes( bytes, startName,
+- endName-startName );
+- sc.getValue().setString("");
+- sc.setVersion( version );
+- if( dbg>0 ) log( "Name only: " + startName + " " + endName);
+- }
+- continue;
+- }
+-
+- // we should have "=" ( tested all other alternatives )
+- int startValue=skipSpaces( bytes, pos, end);
+- int endValue=startValue;
+-
+- // quote is valid only in version=1 cookies
+- cc=bytes[pos];
+- if( ( version == 1 || isSpecial ) && ( cc== '"' ) ) {
+- endValue=findDelim3( bytes, startValue+1, end, cc );
+- if (endValue == -1) {
+- endValue = findDelim2(bytes, startValue+1, end);
+- } else startValue++;
+- pos=endValue+1; // to skip to next cookie
+- } else {
+- endValue=findDelim2( bytes, startValue, end );
+- pos=endValue+1;
+- }
+-
+- // if not $Version, etc
+- if( ! isSpecial ) {
+- sc=addCookie();
+- sc.getName().setBytes( bytes, startName, endName-startName );
+- sc.getValue().setBytes( bytes, startValue, endValue-startValue);
+- sc.setVersion( version );
+- if( dbg>0 ) log( "New: " + sc.getName() + "X=X" + sc.getValue());
+- continue;
+- }
+-
+- // special - Path, Version, Domain, Port
+- if( dbg>0 ) log( "Special: " + startName + " " + endName);
+- // XXX TODO
+- if( equals( "$Version", bytes, startName, endName ) ) {
+- if(dbg>0 ) log( "Found version " );
+- if( bytes[startValue]=='1' && endValue==startValue+1 ) {
+- version=1;
+- if(dbg>0 ) log( "Found version=1" );
+- }
+- continue;
+- }
+- if( sc==null ) {
+- // Path, etc without a previous cookie
+- continue;
+- }
+- if( equals( "$Path", bytes, startName, endName ) ) {
+- sc.getPath().setBytes( bytes, startValue, endValue-startValue );
+- }
+- if( equals( "$Domain", bytes, startName, endName ) ) {
+- sc.getDomain().setBytes( bytes, startValue, endValue-startValue );
+- }
+- if( equals( "$Port", bytes, startName, endName ) ) {
+- // sc.getPort().setBytes( bytes, startValue, endValue-startValue );
+- }
+- }
+- }
+-
+- // -------------------- Utils --------------------
+- public static int skipSpaces( byte bytes[], int off, int end ) {
+- while( off < end ) {
+- byte b=bytes[off];
+- if( b!= ' ' ) return off;
+- off ++;
+- }
+- return off;
+- }
+-
+- public static int findDelim1( byte bytes[], int off, int end )
+- {
+- while( off < end ) {
+- byte b=bytes[off];
+- if( b==' ' || b=='=' || b==';' || b==',' )
+- return off;
+- off++;
+- }
+- return off;
+- }
+-
+- public static int findDelim2( byte bytes[], int off, int end )
+- {
+- while( off < end ) {
+- byte b=bytes[off];
+- if( b==';' || b==',' )
+- return off;
+- off++;
+- }
+- return off;
+- }
+-
+- /*
+- * search for cc but skip \cc as required by rfc2616
+- * (according to rfc2616 cc should be ")
+- */
+- public static int findDelim3( byte bytes[], int off, int end, byte cc )
+- {
+- while( off < end ) {
+- byte b=bytes[off];
+- if (b=='\\') {
+- off++;
+- off++;
+- continue;
+- }
+- if( b==cc )
+- return off;
+- off++;
+- }
+- return -1;
+- }
+-
+ // XXX will be refactored soon!
+ public static boolean equals( String s, byte b[], int start, int end) {
+ int blen = end-start;
+@@ -398,7 +251,7 @@
+ /**
+ *
+ * Strips quotes from the start and end of the cookie string
+- * This conforms to RFC 2109
++ * This conforms to RFC 2965
+ *
+ * @param value a <code>String</code> specifying the cookie
+ * value (possibly quoted).
+@@ -409,8 +262,7 @@
+ private static String stripQuote( String value )
+ {
+ // log("Strip quote from " + value );
+- if (((value.startsWith("\"")) && (value.endsWith("\""))) ||
+- ((value.startsWith("'") && (value.endsWith("'"))))) {
++ if (value.startsWith("\"") && value.endsWith("\"")) {
+ try {
+ return value.substring(1,value.length()-1);
+ } catch (Exception ex) {
+@@ -426,42 +278,299 @@
+ System.out.println("Cookies: " + s);
+ }
+
+- /*
+- public static void main( String args[] ) {
+- test("foo=bar; a=b");
+- test("foo=bar;a=b");
+- test("foo=bar;a=b;");
+- test("foo=bar;a=b; ");
+- test("foo=bar;a=b; ;");
+- test("foo=;a=b; ;");
+- test("foo;a=b; ;");
+- // v1
+- test("$Version=1; foo=bar;a=b");
+- test("$Version=\"1\"; foo='bar'; $Path=/path; $Domain=\"localhost\"");
+- test("$Version=1;foo=bar;a=b; ; ");
+- test("$Version=1;foo=;a=b; ; ");
+- test("$Version=1;foo= ;a=b; ; ");
+- test("$Version=1;foo;a=b; ; ");
+- test("$Version=1;foo=\"bar\";a=b; ; ");
+- test("$Version=1;foo=\"bar\";$Path=/examples;a=b; ; ");
+- test("$Version=1;foo=\"bar\";$Domain=apache.org;a=b");
+- test("$Version=1;foo=\"bar\";$Domain=apache.org;a=b;$Domain=yahoo.com");
+- // rfc2965
+- test("$Version=1;foo=\"bar\";$Domain=apache.org;$Port=8080;a=b");
+-
+- // wrong
+- test("$Version=1;foo=\"bar\";$Domain=apache.org;$Port=8080;a=b");
+- }
+-
+- public static void test( String s ) {
+- System.out.println("Processing " + s );
+- Cookies cs=new Cookies(null);
+- cs.processCookieHeader( s.getBytes(), 0, s.length());
+- for( int i=0; i< cs.getCookieCount() ; i++ ) {
+- System.out.println("Cookie: " + cs.getCookie( i ));
+- }
+-
++
++ /**
++ * Returns true if the byte is a separator character as
++ * defined in RFC2619. Since this is called often, this
++ * function should be organized with the most probable
++ * outcomes first.
++ */
++ public static final boolean isSeparator(final byte c) {
++ if (c > 0 && c < 126)
++ return separators[c];
++ else
++ return false;
+ }
+- */
++
++ /**
++ * Returns true if the byte is a whitespace character as
++ * defined in RFC2619.
++ */
++ public static final boolean isWhiteSpace(final byte c) {
++ // This switch statement is slightly slower
++ // for my vm than the if statement.
++ // Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-164)
++ /*
++ switch (c) {
++ case ' ':;
++ case '\t':;
++ case '\n':;
++ case '\r':;
++ case '\f':;
++ return true;
++ default:;
++ return false;
++ }
++ */
++ if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\f')
++ return true;
++ else
++ return false;
++ }
++
++ /**
++ * Parses a cookie header after the initial "Cookie:"
++ * [WS][$]token[WS]=[WS](token|QV)[;|,]
++ * RFC 2965
++ * JVK
++ */
++ public final void processCookieHeader(byte bytes[], int off, int len){
++ if( len<=0 || bytes==null ) return;
++ int end=off+len;
++ int pos=off;
++ int nameStart=0;
++ int nameEnd=0;
++ int valueStart=0;
++ int valueEnd=0;
++ int version = 0;
++ ServerCookie sc=null;
++ boolean isSpecial;
++ boolean isQuoted;
++
++ while (pos < end) {
++ isSpecial = false;
++ isQuoted = false;
++
++ // Skip whitespace and non-token characters (separators)
++ while (pos < end &&
++ (isSeparator(bytes[pos]) || isWhiteSpace(bytes[pos])))
++ {pos++; }
++
++ if (pos >= end)
++ return;
++
++ // Detect Special cookies
++ if (bytes[pos] == '$') {
++ isSpecial = true;
++ pos++;
++ }
+
++ // Get the cookie name. This must be a token
++ valueEnd = valueStart = nameStart = pos;
++ pos = nameEnd = getTokenEndPosition(bytes,pos,end);
++
++ // Skip whitespace
++ while (pos < end && isWhiteSpace(bytes[pos])) {pos++; };
++
++
++ // Check for an '=' -- This could also be a name-only
++ // cookie at the end of the cookie header, so if we
++ // are past the end of the header, but we have a name
++ // skip to the name-only part.
++ if (pos < end && bytes[pos] == '=') {
++
++ // Skip whitespace
++ do {
++ pos++;
++ } while (pos < end && isWhiteSpace(bytes[pos]));
++
++ if (pos >= end)
++ return;
++
++ // Determine what type of value this is, quoted value,
++ // token, name-only with an '=', or other (bad)
++ switch (bytes[pos]) {
++ case '"':; // Quoted Value
++ isQuoted = true;
++ valueStart=pos + 1; // strip "
++ // getQuotedValue returns the position before
++ // at the last qoute. This must be dealt with
++ // when the bytes are copied into the cookie
++ valueEnd=getQuotedValueEndPosition(bytes,
++ valueStart, end);
++ // We need pos to advance
++ pos = valueEnd;
++ // Handles cases where the quoted value is
++ // unterminated and at the end of the header,
++ // e.g. [myname="value]
++ if (pos >= end)
++ return;
++ break;
++ case ';':
++ case ',':
++ // Name-only cookie with an '=' after the name token
++ // This may not be RFC compliant
++ valueStart = valueEnd = -1;
++ // The position is OK (On a delimiter)
++ break;
++ default:;
++ if (!isSeparator(bytes[pos])) {
++ // Token
++ valueStart=pos;
++ // getToken returns the position at the delimeter
++ // or other non-token character
++ valueEnd=getTokenEndPosition(bytes, valueStart, end);
++ // We need pos to advance
++ pos = valueEnd;
++ } else {
++ // INVALID COOKIE, advance to next delimiter
++ // The starting character of the cookie value was
++ // not valid.
++ log("Invalid cookie. Value not a token or quoted value");
++ while (pos < end && bytes[pos] != ';' &&
++ bytes[pos] != ',')
++ {pos++; };
++ pos++;
++ // Make sure no special avpairs can be attributed to
++ // the previous cookie by setting the current cookie
++ // to null
++ sc = null;
++ continue;
++ }
++ }
++ } else {
++ // Name only cookie
++ valueStart = valueEnd = -1;
++ pos = nameEnd;
++
++ }
++
++ // We should have an avpair or name-only cookie at this
++ // point. Perform some basic checks to make sure we are
++ // in a good state.
++
++ // Skip whitespace
++ while (pos < end && isWhiteSpace(bytes[pos])) {pos++; };
++
++
++ // Make sure that after the cookie we have a separator. This
++ // is only important if this is not the last cookie pair
++ while (pos < end && bytes[pos] != ';' && bytes[pos] != ',') {
++ pos++;
++ }
++
++ pos++;
++
++ /*
++ if (nameEnd <= nameStart || valueEnd < valueStart ) {
++ // Something is wrong, but this may be a case
++ // of having two ';' characters in a row.
++ // log("Cookie name/value does not conform to RFC 2965");
++ // Advance to next delimiter (ignoring everything else)
++ while (pos < end && bytes[pos] != ';' && bytes[pos] != ',')
++ { pos++; };
++ pos++;
++ // Make sure no special cookies can be attributed to
++ // the previous cookie by setting the current cookie
++ // to null
++ sc = null;
++ continue;
++ }
++ */
++
++ // All checks passed. Add the cookie, start with the
++ // special avpairs first
++ if (isSpecial) {
++ isSpecial = false;
++ // $Version must be the first avpair in the cookie header
++ // (sc must be null)
++ if (equals( "Version", bytes, nameStart, nameEnd) &&
++ sc == null) {
++ // Set version
++ if( bytes[valueStart] =='1' && valueEnd == (valueStart+1)) {
++ version=1;
++ } else {
++ // unknown version (Versioning is not very strict)
++ }
++ continue;
++ }
++
++ // We need an active cookie for Path/Port/etc.
++ if (sc == null) {
++ continue;
++ }
++
++ // Domain is more common, so it goes first
++ if (equals( "Domain", bytes, nameStart, nameEnd)) {
++ sc.getDomain().setBytes( bytes,
++ valueStart,
++ valueEnd-valueStart);
++ continue;
++ }
++
++ if (equals( "Path", bytes, nameStart, nameEnd)) {
++ sc.getPath().setBytes( bytes,
++ valueStart,
++ valueEnd-valueStart);
++ continue;
++ }
++
++
++ if (equals( "Port", bytes, nameStart, nameEnd)) {
++ // sc.getPort is not currently implemented.
++ // sc.getPort().setBytes( bytes,
++ // valueStart,
++ // valueEnd-valueStart );
++ continue;
++ }
++
++ // Unknown cookie, complain
++ log("Unknown Special Cookie");
++
++ } else { // Normal Cookie
++ sc = addCookie();
++ sc.setVersion( version );
++ sc.getName().setBytes( bytes, nameStart,
++ nameEnd-nameStart);
++
++ if (valueStart != -1) { // Normal AVPair
++ sc.getValue().setBytes( bytes, valueStart,
++ valueEnd-valueStart);
++ if (isQuoted) {
++ // We know this is a byte value so this is safe
++ ServerCookie.unescapeDoubleQuotes(
++ sc.getValue().getByteChunk());
++ }
++ } else {
++ // Name Only
++ sc.getValue().setString("");
++ }
++ continue;
++ }
++ }
++ }
++
++ /**
++ * Given the starting position of a token, this gets the end of the
++ * token, with no separator characters in between.
++ * JVK
++ */
++ public static final int getTokenEndPosition(byte bytes[], int off, int end){
++ int pos = off;
++ while (pos < end && !isSeparator(bytes[pos])) {pos++; };
++
++ if (pos > end)
++ return end;
++ return pos;
++ }
++
++ /**
++ * Given a starting position after an initial quote chracter, this gets
++ * the position of the end quote. This escapes anything after a '\' char
++ * JVK RFC 2616
++ */
++ public static final int getQuotedValueEndPosition(byte bytes[], int off, int end){
++ int pos = off;
++ while (pos < end) {
++ if (bytes[pos] == '"') {
++ return pos;
++ } else if (bytes[pos] == '\\' && pos < (end - 1)) {
++ pos+=2;
++ } else {
++ pos++;
++ }
++ }
++ // Error, we have reached the end of the header w/o a end quote
++ return end;
++ }
+ }
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java 2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java 2009-04-20 18:34:27.000000000 +0200
+@@ -16,6 +16,7 @@
+
+ package org.apache.tomcat.util.http;
+
++import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.MessageBytes;
+ import org.apache.tomcat.util.buf.DateTool;
+ import java.text.*;
+@@ -47,6 +48,9 @@
+ private int version = 0; // ;Version=1
+
+ //XXX CommentURL, Port -> use notes ?
++
++ public static final boolean VERSION_SWITCH =
++ Boolean.valueOf(System.getProperty("org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH", "true")).booleanValue();
+
+ public ServerCookie() {
+
+@@ -80,7 +84,6 @@
+ return maxAge;
+ }
+
+-
+ public MessageBytes getPath() {
+ return path;
+ }
+@@ -105,7 +108,6 @@
+ return version;
+ }
+
+-
+ public void setVersion(int v) {
+ version = v;
+ }
+@@ -122,8 +124,9 @@
+ // from RFC 2068, token special case characters
+ //
+ // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
+- private static final String tspecials = ",;";
+- private static final String tspecials2 = ",; \"";
++ private static final String tspecials = ",; ";
++ private static final String tspecials2 = "()<>@,;:\\\"/[]?={} \t";
++ private static final String tspecials2NoSlash = "()<>@,;:\\\"[]?={} \t";
+
+ /*
+ * Tests a string and returns true if the string counts as a
+@@ -136,26 +139,52 @@
+ * if it is not
+ */
+ public static boolean isToken(String value) {
++ return isToken(value,null);
++ }
++
++ public static boolean isToken(String value, String literals) {
++ String tspecials = (literals==null?ServerCookie.tspecials:literals);
++
+ if( value==null) return true;
+ int len = value.length();
+
+ for (int i = 0; i < len; i++) {
+ char c = value.charAt(i);
+
+- if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1)
++ if (tspecials.indexOf(c) != -1)
+ return false;
+ }
+ return true;
+ }
+
++ public static boolean containsCTL(String value, int version) {
++ if( value==null) return false;
++ int len = value.length();
++ for (int i = 0; i < len; i++) {
++ char c = value.charAt(i);
++ if (c < 0x20 || c >= 0x7f) {
++ if (c == 0x09)
++ continue; //allow horizontal tabs
++ return true;
++ }
++ }
++ return false;
++ }
++
+ public static boolean isToken2(String value) {
++ return isToken2(value,null);
++ }
++
++ public static boolean isToken2(String value, String literals) {
++ String tspecials2 = (literals==null?ServerCookie.tspecials2:literals);
++
+ if( value==null) return true;
+ int len = value.length();
+
+ for (int i = 0; i < len; i++) {
+ char c = value.charAt(i);
+
+- if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
++ if (tspecials2.indexOf(c) != -1)
+ return false;
+ }
+ return true;
+@@ -181,8 +210,8 @@
+ // -------------------- Cookie parsing tools
+
+
+- /** Return the header name to set the cookie, based on cookie
+- * version
++ /**
++ * Return the header name to set the cookie, based on cookie version.
+ */
+ public String getCookieHeaderName() {
+ return getCookieHeaderName(version);
+@@ -192,7 +221,6 @@
+ * version
+ */
+ public static String getCookieHeaderName(int version) {
+- if( dbg>0 ) log( (version==1) ? "Set-Cookie2" : "Set-Cookie");
+ if (version == 1) {
+ // RFC2109
+ return "Set-Cookie";
+@@ -208,7 +236,7 @@
+
+ private static final String ancientDate=DateTool.formatOldCookie(new Date(10000));
+
+- public static void appendCookieValue( StringBuffer buf,
++ public static void appendCookieValue( StringBuffer headerBuf,
+ int version,
+ String name,
+ String value,
+@@ -219,9 +247,10 @@
+ boolean isSecure )
+ {
+ // this part is the same for all cookies
++ StringBuffer buf = new StringBuffer();
+ buf.append( name );
+ buf.append("=");
+- maybeQuote2(version, buf, value);
++ version = maybeQuote2(version, buf, value, true);
+
+ // XXX Netscape cookie: "; "
+ // add version 1 specific information
+@@ -232,7 +261,7 @@
+ // Comment=comment
+ if ( comment!=null ) {
+ buf.append ("; Comment=");
+- maybeQuote (version, buf, comment);
++ maybeQuote2 (version, buf, comment);
+ }
+ }
+
+@@ -240,7 +269,7 @@
+
+ if (domain!=null) {
+ buf.append("; Domain=");
+- maybeQuote (version, buf, domain);
++ maybeQuote2 (version, buf, domain);
+ }
+
+ // Max-Age=secs/Discard ... or use old "Expires" format
+@@ -269,14 +298,18 @@
+ // Path=path
+ if (path!=null) {
+ buf.append ("; Path=");
+- maybeQuote (version, buf, path);
++ if (version==0) {
++ maybeQuote2(version, buf, path);
++ } else {
++ maybeQuote2(version, buf, path, ServerCookie.tspecials2NoSlash, false);
++ }
+ }
+
+ // Secure
+ if (isSecure) {
+ buf.append ("; Secure");
+ }
+-
++ headerBuf.append(buf);
+
+ }
+
+@@ -291,25 +324,52 @@
+ throw new IllegalArgumentException( value );
+ else {
+ buf.append ('"');
+- buf.append (escapeDoubleQuotes(value));
++ buf.append(escapeDoubleQuotes(value,0,value.length()));
+ buf.append ('"');
+ }
+ }
+ }
+
+- public static void maybeQuote2 (int version, StringBuffer buf,
+- String value) {
+- // special case - a \n or \r shouldn't happen in any case
+- if (isToken2(value)) {
+- buf.append(value);
+- } else {
++ public static boolean alreadyQuoted (String value) {
++ if (value==null || value.length()==0) return false;
++ return (value.charAt(0)=='\"' && value.charAt(value.length()-1)=='\"');
++ }
++
++ public static int maybeQuote2(int version, StringBuffer buf, String value) {
++ return maybeQuote2(version,buf,value,false);
++ }
++ public static int maybeQuote2 (int version, StringBuffer buf, String value, boolean allowVersionSwitch) {
++ return maybeQuote2(version,buf,value,null,allowVersionSwitch);
++ }
++
++ public static int maybeQuote2 (int version, StringBuffer buf, String value, String literals, boolean allowVersionSwitch) {
++ if (value==null || value.length()==0) {
++ buf.append("\"\"");
++ } else if (containsCTL(value,version))
++ throw new IllegalArgumentException("Control character in cookie value, consider BASE64 encoding your value");
++ else if (alreadyQuoted(value)) {
++ buf.append('"');
++ buf.append(escapeDoubleQuotes(value,1,value.length()-1));
++ buf.append('"');
++ } else if (allowVersionSwitch && VERSION_SWITCH && version==0 && !isToken2(value, literals)) {
+ buf.append('"');
+- buf.append(escapeDoubleQuotes(value));
++ buf.append(escapeDoubleQuotes(value,0,value.length()));
+ buf.append('"');
++ version = 1;
++ } else if (version==0 && !isToken(value, literals)) {
++ buf.append('"');
++ buf.append(escapeDoubleQuotes(value,0,value.length()));
++ buf.append('"');
++ } else if (version==1 && !isToken2(value, literals)) {
++ buf.append('"');
++ buf.append(escapeDoubleQuotes(value,0,value.length()));
++ buf.append('"');
++ } else {
++ buf.append(value);
+ }
++ return version;
+ }
+
+-
+ // log
+ static final int dbg=1;
+ public static void log(String s ) {
+@@ -323,25 +383,55 @@
+ *
+ * @return The (possibly) escaped string
+ */
+- private static String escapeDoubleQuotes(String s) {
++ private static String escapeDoubleQuotes(String s, int beginIndex,
++ int endIndex) {
+
+ if (s == null || s.length() == 0 || s.indexOf('"') == -1) {
+ return s;
+ }
+
+ StringBuffer b = new StringBuffer();
+- char p = s.charAt(0);
+- for (int i = 0; i < s.length(); i++) {
++ for (int i = beginIndex; i < endIndex; i++) {
+ char c = s.charAt(i);
+- if (c == '"' && p != '\\')
++ if (c == '\\' ) {
++ b.append(c);
++ //ignore the character after an escape, just append it
++ if (++i>=endIndex) throw new IllegalArgumentException("Invalid escape character in cookie value.");
++ b.append(s.charAt(i));
++ } else if (c == '"')
+ b.append('\\').append('"');
+ else
+ b.append(c);
+- p = c;
+ }
+
+ return b.toString();
+ }
++ /**
++ * Unescapes any double quotes in the given cookie value.
++ *
++ * @param bc The cookie value to modify
++ */
++ public static void unescapeDoubleQuotes(ByteChunk bc) {
++
++ if (bc == null || bc.getLength() == 0 || bc.indexOf('"', 0) == -1) {
++ return;
++ }
++
++ int src = bc.getStart();
++ int end = bc.getEnd();
++ int dest = src;
++ byte[] buffer = bc.getBuffer();
++
++ while (src < end) {
++ if (buffer[src] == '\\' && src < end && buffer[src+1] == '"') {
++ src++;
++ }
++ buffer[dest] = buffer[src];
++ dest ++;
++ src ++;
++ }
++ bc.setEnd(dest);
++ }
+
+ }
+
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,72 @@
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java.sav 2004-11-24 11:55:13.000000000 -0500
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java 2007-10-22 22:34:40.000000000 -0400
+@@ -19,6 +19,7 @@
+
+
+ import java.io.IOException;
++import java.io.StringReader;
+ import java.io.StringWriter;
+ import java.io.Writer;
+ import java.text.SimpleDateFormat;
+@@ -33,6 +34,7 @@
+ import javax.naming.NamingEnumeration;
+ import javax.naming.NamingException;
+ import javax.naming.directory.DirContext;
++import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+@@ -49,6 +51,7 @@
+ import org.w3c.dom.Element;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.SAXException;
+
+@@ -219,6 +222,8 @@
+ documentBuilderFactory = DocumentBuilderFactory.newInstance();
+ documentBuilderFactory.setNamespaceAware(true);
+ documentBuilder = documentBuilderFactory.newDocumentBuilder();
++ documentBuilder.setEntityResolver(
++ new WebdavResolver(this.getServletContext()));
+ } catch(ParserConfigurationException e) {
+ throw new ServletException
+ (sm.getString("webdavservlet.jaxpfailed"));
+@@ -2716,6 +2721,26 @@
+ }
+
+
++ // --------------------------------------------- WebdavResolver Inner Class
++ /**
++ * Work around for XML parsers that don't fully respect
++ * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
++ * references are filtered out for security reasons. See CVE-2007-5461.
++ */
++ private class WebdavResolver implements EntityResolver {
++ private ServletContext context;
++
++ public WebdavResolver(ServletContext theContext) {
++ context = theContext;
++ }
++
++ public InputSource resolveEntity (String publicId, String systemId) {
++ context.log(sm.getString("webdavservlet.enternalEntityIgnored",
++ publicId, systemId));
++ return new InputSource(
++ new StringReader("Ignored external entity"));
++ }
++ }
+ };
+
+
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties.sav 2007-10-22 21:01:54.000000000 -0400
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties 2007-10-22 21:02:09.000000000 -0400
+@@ -9,6 +9,7 @@
+ invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
+ invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
+ webdavservlet.jaxpfailed=JAXP initialization failed
++webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
+ directory.filename=Filename
+ directory.lastModified=Last Modified
+ directory.parent=Up To {0}
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,14 @@
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java 2004-11-24 17:55:07.000000000 +0100
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java 2008-04-04 15:53:59.000000000 +0200
+@@ -843,6 +843,11 @@
+ Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
+ cookie.setMaxAge(-1);
+ cookie.setPath("/");
++
++ // Bugzilla 41217
++ javax.servlet.ServletRequest r = (javax.servlet.ServletRequest) request;
++ cookie.setSecure(r.isSecure());
++
+ hres.addCookie(cookie);
+
+ // Register this principal with our SSO valve
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,89 @@
+--- jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Constants.java (original)
++++ jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Constants.java Wed Jul 30 02:26:27 2008
+@@ -53,4 +53,12 @@
+ public static final int STAGE_ENDED = 7;
+
+
++ /**
++ * If true, custom HTTP status messages will be used in headers.
++ */
++ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
++ Boolean.valueOf(System.getProperty(
++ "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
++ "false")).booleanValue();
++
+ }
+
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java (original)
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java Wed Jul 30 02:26:27 2008
+@@ -448,11 +448,14 @@
+ buf[pos++] = Constants.SP;
+
+ // Write message
+- String message = response.getMessage();
++ String message = null;
++ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
++ message = response.getMessage();
++ }
+ if (message == null) {
+ write(getMessage(status));
+ } else {
+- write(message);
++ write(message.replace('\n', ' ').replace('\r', ' '));
+ }
+
+ // End the response status line
+
+--- jakarta-tomcat-connectors/jk/java/org/apache/jk/server/JkCoyoteHandler.java.org 2005-03-26 20:24:11.000000000 +0100
++++ jakarta-tomcat-connectors/jk/java/org/apache/jk/server/JkCoyoteHandler.java 2008-08-18 11:37:00.000000000 +0200
+@@ -363,7 +363,10 @@
+ mb=MessageBytes.newInstance();
+ ep.setNote( tmpMessageBytesNote, mb );
+ }
+- String message=res.getMessage();
++ String message=null;
++ if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
++ message = res.getMessage();
++ }
+ if( message==null ){
+ if( System.getSecurityManager() != null ) {
+ message = (String)AccessController.doPrivileged(
+
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
+@@ -115,8 +115,7 @@
+ || (requestPathMB.equalsIgnoreCase("/META-INF"))
+ || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
+ || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
+- String requestURI = hreq.getDecodedRequestURI();
+- notFound(requestURI, (HttpServletResponse) response.getResponse());
++ notFound((HttpServletResponse) response.getResponse());
+ return;
+ }
+
+@@ -132,8 +131,7 @@
+ // Select the Wrapper to be used for this Request
+ Wrapper wrapper = request.getWrapper();
+ if (wrapper == null) {
+- String requestURI = hreq.getDecodedRequestURI();
+- notFound(requestURI, (HttpServletResponse) response.getResponse());
++ notFound((HttpServletResponse) response.getResponse());
+ return;
+ }
+
+@@ -268,13 +266,12 @@
+ * application, but currently that code runs at the wrapper level rather
+ * than the context level.
+ *
+- * @param requestURI The request URI for the requested resource
+ * @param response The response we are creating
+ */
+- private void notFound(String requestURI, HttpServletResponse response) {
++ private void notFound(HttpServletResponse response) {
+
+ try {
+- response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
++ response.sendError(HttpServletResponse.SC_NOT_FOUND);
+ } catch (IllegalStateException e) {
+ ;
+ } catch (IOException e) {
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,41 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (original)
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java Wed Jul 30 02:34:21 2008
+@@ -379,10 +379,21 @@
+ throw new IllegalArgumentException
+ (sm.getString
+ ("applicationContext.requestDispatcher.iae", path));
++
++ // Get query string
++ String queryString = null;
++ int pos = path.indexOf('?');
++ if (pos >= 0) {
++ queryString = path.substring(pos + 1);
++ path = path.substring(0, pos);
++ }
++
+ path = normalize(path);
+ if (path == null)
+ return (null);
+
++ pos = path.length();
++
+ // Retrieve the thread local URI
+ MessageBytes uriMB = (MessageBytes) localUriMB.get();
+ if (uriMB == null) {
+@@ -394,15 +405,6 @@
+ uriMB.recycle();
+ }
+
+- // Get query string
+- String queryString = null;
+- int pos = path.indexOf('?');
+- if (pos >= 0) {
+- queryString = path.substring(pos + 1);
+- } else {
+- pos = path.length();
+- }
+-
+ // Retrieve the thread local mapping data
+ MappingData mappingData = (MappingData) localMappingData.get();
+ if (mappingData == null) {
+
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,83 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java 2008-07-17 13:13:43 UTC (rev 717)
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java 2008-07-17 17:43:56 UTC (rev 718)
+@@ -442,6 +442,12 @@
+ }
+ // Character decoding
+ convertURI(decodedURI, request);
++ // Check that the URI is still normalized
++ if (!checkNormalize(req.decodedURI())) {
++ res.setStatus(400);
++ res.setMessage("Invalid URI character encoding");
++ return false;
++ }
+ } else {
+ // The URL is chars or String, and has been sent using an in-memory
+ // protocol handler, we have to assume the URL has been properly
+@@ -821,6 +827,67 @@
+ }
+
+
++ /**
++ * Check that the URI is normalized following character decoding.
++ * <p>
++ * This method checks for "\", "//", "/./" and "/../". This method will
++ * return false if sequences that are supposed to be normalized still
++ * present in the URI.
++ *
++ * @param uriMB URI to be normalized
++ */
++ public static boolean checkNormalize(MessageBytes uriMB) {
++
++ CharChunk uriCC = uriMB.getCharChunk();
++ char[] c = uriCC.getChars();
++ int start = uriCC.getStart();
++ int end = uriCC.getEnd();
++
++ int pos = 0;
++
++ // Check for '\' and for null byte
++ for (pos = start; pos < end; pos++) {
++ if (c[pos] == '\\') {
++ return false;
++ }
++ if (c[pos] == 0) {
++ return false;
++ }
++ }
++
++ // Check for "//"
++ for (pos = start; pos < (end - 1); pos++) {
++ if (c[pos] == '/') {
++ if (c[pos + 1] == '/') {
++ return false;
++ }
++ }
++ }
++
++ // Check for URI ending with "/." or "/.."
++ if (((end - start) >= 2) && (c[end - 1] == '.')) {
++ if ((c[end - 2] == '/')
++ || ((c[end - 2] == '.')
++ && (c[end - 3] == '/'))) {
++ return false;
++ }
++ }
++
++ // Check for "/./"
++ if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
++ return false;
++ }
++
++ // Check for "/./"
++ if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
++ return false;
++ }
++
++ return true;
++
++ }
++
++
+ // ------------------------------------------------------ Protected Methods
+
+
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,110 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java.org 2008-10-28 17:33:08.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java 2008-10-28 17:34:19.000000000 +0100
+@@ -30,6 +30,7 @@
+ import org.apache.catalina.ValveContext;
+ import org.apache.catalina.util.StringManager;
+ import org.apache.regexp.RE;
++import org.apache.regexp.REProgram;
+ import org.apache.regexp.RESyntaxException;
+ import org.apache.tomcat.util.compat.JdkCompat;
+
+@@ -104,15 +105,17 @@
+
+
+ /**
+- * The set of <code>allow</code> regular expressions we will evaluate.
++ * The set of <code>allow</code> pre-compiled regular expressions we will
++ * evaluate.
+ */
+- protected RE allows[] = new RE[0];
++ protected REProgram allows[] = new REProgram[0];
+
+
+ /**
+- * The set of <code>deny</code> regular expressions we will evaluate.
++ * The set of <code>deny</code> pre-compiled regular expressions we will
++ * evaluate.
+ */
+- protected RE denies[] = new RE[0];
++ protected REProgram denies[] = new REProgram[0];
+
+
+ /**
+@@ -210,32 +213,32 @@
+
+
+ /**
+- * Return an array of regular expression objects initialized from the
+- * specified argument, which must be <code>null</code> or a comma-delimited
+- * list of regular expression patterns.
++ * Return an array of pre-compiled regular expression objects initialized
++ * from the specified argument, which must be <code>null</code> or a
++ * comma-delimited list of regular expression patterns.
+ *
+ * @param list The comma-separated list of patterns
+ *
+ * @exception IllegalArgumentException if one of the patterns has
+ * invalid syntax
+ */
+- protected RE[] precalculate(String list) {
++ protected REProgram[] precalculate(String list) {
+
+ if (list == null)
+- return (new RE[0]);
++ return (new REProgram[0]);
+ list = list.trim();
+ if (list.length() < 1)
+- return (new RE[0]);
++ return (new REProgram[0]);
+ list += ",";
+
+- ArrayList reList = new ArrayList();
++ ArrayList reProgramList = new ArrayList();
+ while (list.length() > 0) {
+ int comma = list.indexOf(',');
+ if (comma < 0)
+ break;
+ String pattern = list.substring(0, comma).trim();
+ try {
+- reList.add(new RE(pattern));
++ reProgramList.add(new RE(pattern).getProgram());
+ } catch (RESyntaxException e) {
+ IllegalArgumentException iae = new IllegalArgumentException
+ (sm.getString("requestFilterValve.syntax", pattern));
+@@ -245,8 +248,8 @@
+ list = list.substring(comma + 1);
+ }
+
+- RE reArray[] = new RE[reList.size()];
+- return ((RE[]) reList.toArray(reArray));
++ REProgram reProgramArray[] = new REProgram[reProgramList.size()];
++ return ((REProgram[]) reProgramList.toArray(reProgramArray));
+
+ }
+
+@@ -269,9 +272,14 @@
+ ValveContext context)
+ throws IOException, ServletException {
+
++
++ // Create local RE since RE is not thread safe
++ RE re = new RE();
++
+ // Check the deny patterns, if any
+ for (int i = 0; i < denies.length; i++) {
+- if (denies[i].match(property)) {
++ re.setProgram(denies[i]);
++ if (re.match(property)) {
+ ServletResponse sres = response.getResponse();
+ if (sres instanceof HttpServletResponse) {
+ HttpServletResponse hres = (HttpServletResponse) sres;
+@@ -283,7 +291,8 @@
+
+ // Check the allow patterns, if any
+ for (int i = 0; i < allows.length; i++) {
+- if (allows[i].match(property)) {
++ re.setProgram(allows[i]);
++ if (re.match(property)) {
+ context.invokeNext(request, response);
+ return;
+ }
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,8 @@
+--- jakarta-tomcat-5.0.30-src/jakarta-tomcat-catalina/catalina/etc/bootstrap.MF 2004-11-24 11:55:05.000000000 -0500
++++ jakarta-tomcat-5.0.30-src/jakarta-tomcat-catalina/catalina/etc/bootstrap.MF 2004-12-10 16:33:56.000000000 -0500
+@@ -1,5 +1,4 @@
+ Manifest-Version: 1.0
+ Main-Class: org.apache.catalina.startup.Bootstrap
+-Class-Path: jmx.jar commons-daemon.jar commons-logging-api.jar
+ Specification-Title: Catalina
+ Specification-Version: 1.0
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,52 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java.orig 2004-06-17 21:11:40.000000000 -0400
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java 2004-12-07 15:21:53.000000000 -0500
+@@ -66,8 +66,8 @@
+ */
+ void init() throws IOException {
+ try {
+- Security.addProvider (new sun.security.provider.Sun());
+- Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
++ // Security.addProvider (new sun.security.provider.Sun());
++ // Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
+
+ String clientAuthStr = (String)attributes.get("clientauth");
+ if("true".equalsIgnoreCase(clientAuthStr) ||
+@@ -85,8 +85,8 @@
+ if (algorithm == null) algorithm = defaultAlgorithm;
+
+ // Set up KeyManager, which will extract server key
+- com.sun.net.ssl.KeyManagerFactory kmf =
+- com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);
++ javax.net.ssl.KeyManagerFactory kmf =
++ javax.net.ssl.KeyManagerFactory.getInstance(algorithm);
+ String keystoreType = (String)attributes.get("keystoreType");
+ if (keystoreType == null) {
+ keystoreType = defaultKeystoreType;
+@@ -96,22 +96,22 @@
+ keystorePass.toCharArray());
+
+ // Set up TrustManager
+- com.sun.net.ssl.TrustManager[] tm = null;
++ javax.net.ssl.TrustManager[] tm = null;
+ String truststoreType = (String)attributes.get("truststoreType");
+ if(truststoreType == null) {
+ truststoreType = keystoreType;
+ }
+ KeyStore trustStore = getTrustStore(truststoreType);
+ if (trustStore != null) {
+- com.sun.net.ssl.TrustManagerFactory tmf =
+- com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
++ javax.net.ssl.TrustManagerFactory tmf =
++ javax.net.ssl.TrustManagerFactory.getInstance("SunX509");
+ tmf.init(trustStore);
+ tm = tmf.getTrustManagers();
+ }
+
+ // Create and init SSLContext
+- com.sun.net.ssl.SSLContext context =
+- com.sun.net.ssl.SSLContext.getInstance(protocol);
++ javax.net.ssl.SSLContext context =
++ javax.net.ssl.SSLContext.getInstance(protocol);
+ context.init(kmf.getKeyManagers(), tm, new SecureRandom());
+
+ // Create proxy
Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch 2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,49 @@
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Processor.java
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Processor.java
+298a299,302
+> /**
+> * Allow a customized the server header for the tin-foil hat folks.
+> */
+> protected String server = null;
+707a712,729
+> * Set the server header name.
+> */
+> public void setServer( String server ) {
+> if (server==null || server.equals("")) {
+> this.server = null;
+> } else {
+> this.server = server;
+> }
+> }
+>
+> /**
+> * Get the server header name.
+> */
+> public String getServer() {
+> return server;
+> }
+>
+> /**
+1509a1532,1535
+>
+> if (server != null) {
+> headers.setValue("Server").setString(server);
+> } else {
+1510a1537
+> }
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Protocol.java
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Protocol.java
+229a230
+> private String server;
+568a570,577
+> public void setServer( String server ) {
+> this.server = server;
+> }
+>
+> public String getServer() {
+> return server;
+> }
+>
+659a669
+> processor.setServer( proto.server );
+
More information about the jboss-cvs-commits
mailing list