[jboss-cvs] Repository SVN: r27649 - in apache-tomcat: 5.0.30.patch07-brew and 2 other directories.

jboss-cvs-commits at lists.jboss.org jboss-cvs-commits at lists.jboss.org
Tue Jul 7 18:33:39 EDT 2009


Author: dknox at redhat.com
Date: 2009-07-07 18:33:37 -0400 (Tue, 07 Jul 2009)
New Revision: 27649

Added:
   apache-tomcat/5.0.30.patch07-brew/
   apache-tomcat/5.0.30.patch07-brew/component-info.xml
   apache-tomcat/5.0.30.patch07-brew/lib/
   apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
   apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
   apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
   apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
   apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
   apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
   apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
   apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
   apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
   apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
   apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
   apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
   apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
   apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
   apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
   apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
   apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
   apache-tomcat/5.0.30.patch07-brew/src/
   apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch
   apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch
Log:
Commiting tomcat5-5_0_30-0jpp_15rh CVE-2009-0033 CVE-2009-0783. CVE-2008-0781 not applied. CVE-2008-5515 not applied.

Added: apache-tomcat/5.0.30.patch07-brew/component-info.xml
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/component-info.xml	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/component-info.xml	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,54 @@
+<project name="apache-tomcat-component-info">
+
+   <component id="apache-tomcat"
+      licenseType="apache-2.0"
+      version="5.0.30.patch07-brew"
+      projectHome="http://jakarta.apache.org/tomcat/index.html"
+      description="Tomcat 5.0 servlet 2.4 web container+patches(JBAS-2775,CVE-2005-3510, CVE-2006-3835, CVE-2005-2090, CVE-2006-7195, CVE-2006-7196, CVE-2007-0450, CVE-2007-1858) and also patches for CVE-2007-3382, CVE-2007-3385 and CVE-2007-2450 and a fix for CVE-2007-5461, and also CVE-2007-1358, 2008-0128, CVE-2007-2449, CVE-2007-1355, CVE-2005-4838, plus CVE-2008-1232, CVE-2008-2370, and CVE-2008-2938, CVE-2008-3271, CVS-2007-5333">
+      <!-- cvsroot=":ext:cvs.devel.redhat.com:/cvs/dist/tomcat5"
+           tag="tomcat5-5_0_30-0jpp_15rh"
+        -->
+      <artifact id="catalina-manager.jar"/>
+      <artifact id="catalina-optional.jar"/>
+      <artifact id="catalina.jar"/>
+      <artifact id="jasper-compiler.jar"/>
+      <artifact id="jasper-runtime.jar"/>
+      <artifact id="naming-resources.jar"/>
+      <artifact id="servlets-default.jar"/>
+      <artifact id="servlets-invoker.jar"/>
+      <artifact id="servlets-webdav.jar"/>
+      <artifact id="servlets-common.jar"/>
+      <artifact id="servlet-api.jar"/>      
+      <artifact id="tomcat-coyote.jar"/>
+      <artifact id="tomcat-http11.jar"/>
+      <artifact id="tomcat-util.jar"/>
+      <artifact id="tomcat-jk2.jar"/> 
+      <artifact id="naming-common.jar"/>         
+      <artifact id="jsp-api.jar"/>         
+      <import componentref="apache-modeler">
+         <compatible version="1.1patch"/>
+      </import>
+      <import componentref="commons-el">
+         <compatible version="1.0"/>
+      </import>
+      <export>
+         <include input="catalina-manager.jar"/>
+         <include input="catalina-optional.jar"/>
+         <include input="catalina.jar"/>
+         <include input="jasper-compiler.jar"/>
+         <include input="jasper-runtime.jar"/>
+         <include input="naming-resources.jar"/>
+         <include input="servlets-default.jar"/>
+         <include input="servlets-invoker.jar"/>
+         <include input="servlets-webdav.jar"/>
+         <include input="servlets-common.jar"/>         
+         <include input="servlet-api.jar"/>                  
+         <include input="tomcat-coyote.jar"/>
+         <include input="tomcat-http11.jar"/>
+         <include input="tomcat-util.jar"/>
+         <include input="tomcat-jk2.jar"/>
+         <include input="naming-common.jar"/>
+         <include input="jsp-api.jar"/>         
+      </export>
+   </component>
+</project>

Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina-manager.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina-optional.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/catalina.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jasper-compiler.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jasper-runtime.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/jsp-api.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/naming-common.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/naming-resources.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlet-api.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-common.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-default.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-invoker.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/servlets-webdav.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-coyote.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-http11.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-jk2.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/lib/tomcat-util.jar
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
===================================================================
(Binary files differ)


Property changes on: apache-tomcat/5.0.30.patch07-brew/src/jakarta-tomcat-5.0.30-src.tar.gz
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2005-2090.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,39 @@
+--- jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Request.java	(revision 531784)
++++ jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Request.java	(working copy)
+@@ -309,7 +309,7 @@
+     public long getContentLengthLong() {
+         if( contentLength > -1 ) return contentLength;
+ 
+-        MessageBytes clB = headers.getValue("content-length");
++        MessageBytes clB = headers.getUniqueValue("content-length");
+         contentLength = (clB == null || clB.isNull()) ? -1 : clB.getLong();
+ 
+         return contentLength;
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/MimeHeaders.java	(revision 531784)
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/MimeHeaders.java	(working copy)
+@@ -286,6 +286,25 @@
+         return null;
+     }
+ 
++    /**
++     * Finds and returns a unique header field with the given name. If no such
++     * field exists, null is returned. If the specified header field is not
++     * unique then an {@link IllegalArgumentException} is thrown.
++     */
++    public MessageBytes getUniqueValue(String name) {
++        MessageBytes result = null;
++        for (int i = 0; i < count; i++) {
++            if (headers[i].getName().equalsIgnoreCase(name)) {
++                if (result == null) {
++                    result = headers[i].getValue();
++                } else {
++                    throw new IllegalArgumentException();
++                }
++            }
++        }
++        return result;
++    }
++
+     // bad shortcut - it'll convert to string ( too early probably,
+     // encoding is guessed very late )
+     public String getHeader(String name) {

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-3835.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,34 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	2005/11/09 19:43:12	332126
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/DefaultServlet.java	2005/11/09 19:50:47	332127
+@@ -98,7 +98,7 @@
+     /**
+      * Should we generate directory listings?
+      */
+-    protected boolean listings = true;
++    protected boolean listings = false;
+ 
+ 
+     /**
+--- jakarta-tomcat-catalina/catalina/src/conf/web.xml.orig	2004-11-24 11:55:06.000000000 -0500
++++ jakarta-tomcat-catalina/catalina/src/conf/web.xml	2007-04-27 16:58:02.000000000 -0400
+@@ -31,7 +31,10 @@
+   <!--                       resources to be served.  [2048]                -->
+   <!--                                                                      -->
+   <!--   listings            Should directory listings be produced if there -->
+-  <!--                       is no welcome file in this directory?  [true]  -->
++  <!--                       is no welcome file in this directory?  [false] -->
++  <!--                       WARNING: Listings for directories with many    -->
++  <!--                       entries can be slow and may consume            -->
++  <!--                       significant proportions of server resources.   -->
+   <!--                                                                      -->
+   <!--   output              Output buffer size (in bytes) when writing     -->
+   <!--                       resources to be served.  [2048]                -->
+@@ -68,7 +71,7 @@
+         </init-param>
+         <init-param>
+             <param-name>listings</param-name>
+-            <param-value>true</param-value>
++            <param-value>false</param-value>
+         </init-param>
+         <load-on-startup>1</load-on-startup>
+     </servlet>

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7195.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,49 @@
+--- jakarta-tomcat-catalina/webapps/docs/appdev/sample/src/mypackage/Hello.java.orig	2004-11-24 11:55:36.000000000 -0500
++++ jakarta-tomcat-catalina/webapps/docs/appdev/sample/src/mypackage/Hello.java	2007-04-27 14:29:32.000000000 -0400
+@@ -68,24 +68,11 @@
+ 	writer.println("<td>");
+ 	writer.println("<h1>Sample Application Servlet</h1>");
+ 	writer.println("This is the output of a servlet that is part of");
+-	writer.println("the Hello, World application.  It displays the");
+-	writer.println("request headers from the request we are currently");
+-	writer.println("processing.");
++	writer.println("the Hello, World application.");
+ 	writer.println("</td>");
+ 	writer.println("</tr>");
+ 	writer.println("</table>");
+ 
+-	writer.println("<table border=\"0\" width=\"100%\">");
+-	Enumeration names = request.getHeaderNames();
+-	while (names.hasMoreElements()) {
+-	    String name = (String) names.nextElement();
+-	    writer.println("<tr>");
+-	    writer.println("  <th align=\"right\">" + name + ":</th>");
+-	    writer.println("  <td>" + request.getHeader(name) + "</td>");
+-	    writer.println("</tr>");
+-	}
+-	writer.println("</table>");
+-
+ 	writer.println("</body>");
+ 	writer.println("</html>");
+ 
+--- jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp.orig	2004-11-24 11:54:58.000000000 -0500
++++ jakarta-servletapi-5/jsr152/examples/jsp2/el/implicit-objects.jsp	2007-04-27 14:29:32.000000000 -0400
+@@ -69,15 +69,15 @@
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${header["host"]}</td>
+-	    <td>${header["host"]}</td>
++	    <td>${fn:escapeXml(header["host"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${header["accept"]}</td>
+-	    <td>${header["accept"]}</td>
++	    <td>${fn:escapeXml(header["accept"])}&nbsp;</td>
+ 	  </tr>
+ 	  <tr>
+ 	    <td>\${header["user-agent"]}</td>
+-	    <td>${header["user-agent"]}</td>
++	    <td>${fn:escapeXml(header["user-agent"])}&nbsp;</td>
+ 	  </tr>
+ 	</table>
+       </code>

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2006-7196.5.x.y.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,17 @@
+--- jakarta-servletapi-5/jsr152/examples/cal/cal2.jsp	(revision 267240)
++++ jakarta-servletapi-5/jsr152/examples/cal/cal2.jsp	(revision 369933)
+@@ -29,12 +29,12 @@
+ 
+ <FONT SIZE=5> Please add the following event:
+ <BR> <h3> Date <%= table.getDate() %>
+-<BR> Time <%= time %> </h3>
++<BR> Time <%= util.HTMLFilter.filter(time) %> </h3>
+ </FONT>
+ <FORM METHOD=POST ACTION=cal1.jsp>
+ <BR> 
+ <BR> <INPUT NAME="date" TYPE=HIDDEN VALUE="current">
+-<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= time %>
++<BR> <INPUT NAME="time" TYPE=HIDDEN VALUE=<%= util.HTMLFilter.filter(time) %>
+ <BR> <h2> Description of the event <INPUT NAME="description" TYPE=TEXT SIZE=20> </h2>
+ <BR> <INPUT TYPE=SUBMIT VALUE="submit">
+ </FORM>

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-0450.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,89 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/buf/UDecoder.java.orig	2004-11-24 11:55:55.000000000 -0500
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/buf/UDecoder.java	2007-04-27 14:30:13.000000000 -0400
+@@ -29,6 +29,9 @@
+  */
+ public final class UDecoder {
+     
++    protected static final boolean ALLOW_ENCODED_SLASH = 
++        Boolean.valueOf(System.getProperty("org.apache.tomcat.util.buf.UDecoder.ALLOW_ENCODED_SLASH", "false")).booleanValue();
++    
+     public UDecoder() 
+     {
+     }
+@@ -62,6 +65,8 @@
+ 	// idx will be the smallest positive inxes ( first % or + )
+ 	if( idx2 >= 0 && idx2 < idx ) idx=idx2;
+ 	if( idx < 0 ) idx=idx2;
++    
++	boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+ 
+ 	for( int j=idx; j<end; j++, idx++ ) {
+ 	    if( buff[ j ] == '+' && query) {
+@@ -80,6 +85,9 @@
+ 		
+ 		j+=2;
+ 		int res=x2c( b1, b2 );
++                if (noSlash && (res == '/')) {
++                    throw new CharConversionException( "noSlash");
++                }
+ 		buff[idx]=(byte)res;
+ 	    }
+ 	}
+@@ -121,7 +129,8 @@
+ 	
+ 	if( idx2 >= 0 && idx2 < idx ) idx=idx2; 
+ 	if( idx < 0 ) idx=idx2;
+-
++    
++	boolean noSlash = !(ALLOW_ENCODED_SLASH || query);
+ 	for( int j=idx; j<cend; j++, idx++ ) {
+ 	    if( buff[ j ] == '+' && query ) {
+ 		buff[idx]=( ' ' );
+@@ -140,6 +149,9 @@
+ 		
+ 		j+=2;
+ 		int res=x2c( b1, b2 );
++		if (noSlash && (res == '/')) {
++		    throw new CharConversionException( "noSlash");
++            	}
+ 		buff[idx]=(char)res;
+ 	    }
+ 	}
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java.orig	2004-11-24 11:55:18.000000000 -0500
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java	2007-04-27 14:30:13.000000000 -0400
+@@ -54,6 +54,8 @@
+  {
+     private static Log log = LogFactory.getLog(CoyoteAdapter.class);
+ 
++    protected static final boolean ALLOW_BACKSLASH = 
++        Boolean.valueOf(System.getProperty("org.apache.catalina.connector.CoyoteAdapter.ALLOW_BACKSLASH", "false")).booleanValue();
+     // -------------------------------------------------------------- Constants
+ 
+ 
+@@ -232,8 +234,8 @@
+                 req.getURLDecoder().convert(decodedURI, false);
+             } catch (IOException ioe) {
+                 res.setStatus(400);
+-                res.setMessage("Invalid URI");
+-                throw ioe;
++                res.setMessage("Invalid URI: " + ioe.getMessage());
++                return false;
+             }
+             // Normalization
+             if (!normalize(req.decodedURI())) {
+@@ -473,8 +475,13 @@
+         // Replace '\' with '/'
+         // Check for null byte
+         for (pos = start; pos < end; pos++) {
+-            if (b[pos] == (byte) '\\')
+-                b[pos] = (byte) '/';
++            if (b[pos] == (byte) '\\') {
++                if (ALLOW_BACKSLASH) {
++                    b[pos] = (byte) '/';
++                } else {
++                    return false;
++                }
++            }
+             if (b[pos] == (byte) 0)
+                 return false;
+         }

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1358.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,27 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java	2004-11-24 17:55:18.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java	2008-04-04 15:35:26.000000000 +0200
+@@ -2539,6 +2539,9 @@
+                     variant = "";
+                 }
+             }
++            if (!isAlpha(language) || !isAlpha(country) || !isAlpha(variant)) {
++                continue;
++            }
+ 
+             // Add a new Locale to the list of Locales for this quality level
+             Locale locale = new Locale(language, country, variant);
+@@ -2604,4 +2607,14 @@
+ 
+     }
+ 
++    protected static final boolean isAlpha(String value) {
++        for (int i = 0; i < value.length(); i++) {
++            char c = value.charAt(i);
++            if (!((c >= 'a' && c <= 'z') || (c >= 'A' && c <= 'Z'))) {
++                return false;
++            }
++        }
++        return true;
++    }
++
+ }

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-1858.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,13 @@
+Index: jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java
+===================================================================
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java	(revision 531485)
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSESocketFactory.java	(working copy)
+@@ -187,6 +187,8 @@
+                 enabledCiphers = new String[vec.size()];
+                 vec.copyInto(enabledCiphers);
+             }
++        } else {
++            enabledCiphers = sslProxy.getDefaultCipherSuites();
+         }
+ 
+         return enabledCiphers;

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2449_CVE-2007-1355_CVE-2005-4838.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,42 @@
+--- jakarta-tomcat-catalina/webapps/docs/build.xml	2008-04-04 13:28:58.000000000 -0400
++++ jakarta-tomcat-catalina/webapps/docs/build.xml	2008-04-07 12:14:25.000000000 -0400
+@@ -43,11 +43,13 @@
+     <copy    todir="${webapps.build}/${webapp.name}/appdev">
+       <fileset dir="appdev" includes="*.txt"/>
+     </copy>
++<!--
+     <copy    todir="${webapps.build}/${webapp.name}/appdev/sample">
+       <fileset dir="appdev/sample"/>
+     </copy>
+     <copy   tofile="${webapps.build}/${webapp.name}/appdev/sample/build.xml"
+               file="appdev/build.xml.txt"/>
++-->
+ 
+     <!-- Catalina Functional Specifications -->
+     <mkdir     dir="${webapps.build}/${webapp.name}/catalina/funcspecs"/>
+--- jakarta-tomcat-5/build.xml	2008-04-04 12:26:53.000000000 -0400
++++ jakarta-tomcat-5/build.xml	2008-04-04 15:53:22.000000000 -0400
+@@ -300,6 +300,7 @@
+       <classpath refid="jspc.classpath"/>
+     </taskdef>
+ 
++<!--
+     <jasper2 
+              compile="false"
+              validateXml="false"
+@@ -324,6 +325,7 @@
+              webXmlFragment="${admin.base}/WEB-INF/generated_web.xml"
+              addWebXmlMappings="true"
+              outputDir="${admin.base}/WEB-INF/src/admin" />
++-->
+ 
+     <javac destdir="${ROOT.base}/WEB-INF/classes"
+            optimize="off"
+@@ -350,6 +352,7 @@
+       </fileset>
+     </copy>
+ 
++    <mkdir dir="${jsp-examples.base}/WEB-INF/classes"/>
+     <javac destdir="${jsp-examples.base}/WEB-INF/classes"
+            optimize="off"
+            debug="on" failonerror="false"

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-2450.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,23 @@
+--- jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java	2007-09-05 09:41:50.000000000 +0200
++++ jakarta-tomcat-catalina/webapps/manager/WEB-INF/classes/org/apache/catalina/manager/HTMLManagerServlet.java	2007-09-05 09:42:16.000000000 +0200
+@@ -33,6 +33,7 @@
+ import javax.servlet.http.HttpServletResponse;
+ import org.apache.catalina.Context;
+ import org.apache.catalina.Host;
++import org.apache.catalina.util.RequestUtil;
+ import org.apache.catalina.util.ServerInfo;
+ import org.apache.commons.fileupload.FileItem;
+ import org.apache.commons.fileupload.DiskFileUpload;
+@@ -304,7 +305,11 @@
+         // Message Section
+         args = new Object[3];
+         args[0] = sm.getString("htmlManagerServlet.messageLabel");
+-        args[1] = (message == null || message.length() == 0) ? "OK" : message;
++        if (message == null || message.length() == 0) {
++            args[1] = "OK";
++        } else {
++            args[1] = RequestUtil.filter(message);
++        }
+         writer.print(MessageFormat.format(Constants.MESSAGE_SECTION, args));
+ 
+         // Manager Section

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-3382_CVE-2007-3385.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,161 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java	2007/07/25 02:14:15	559282
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java	2007/07/25 02:19:40	559283
+@@ -123,6 +123,7 @@
+     //
+     // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
+     private static final String tspecials = ",;";
++    private static final String tspecials2 = ",; \"";
+ 
+     /*
+      * Tests a string and returns true if the string counts as a
+@@ -147,6 +148,20 @@
+ 	return true;
+     }
+ 
++    public static boolean isToken2(String value) {
++        if( value==null) return true;
++        int len = value.length();
++
++        for (int i = 0; i < len; i++) {
++            char c = value.charAt(i);
++
++            if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
++                return false;
++        }
++        return true;
++    }
++
++
+     public static boolean checkName( String name ) {
+ 	if (!isToken(name)
+ 		|| name.equalsIgnoreCase("Comment")	// rfc2019
+@@ -206,7 +221,7 @@
+         // this part is the same for all cookies
+ 	buf.append( name );
+         buf.append("=");
+-        maybeQuote(version, buf, value);
++        maybeQuote2(version, buf, value);
+ 
+ 	// XXX Netscape cookie: "; "
+  	// add version 1 specific information
+@@ -276,16 +291,56 @@
+ 		throw new IllegalArgumentException( value );
+ 	    else {
+ 		buf.append ('"');
+-		buf.append (value);
++		buf.append (escapeDoubleQuotes(value));
+ 		buf.append ('"');
+ 	    }
+ 	}
+     }
+ 
++    public static void maybeQuote2 (int version, StringBuffer buf,
++            String value) {
++        // special case - a \n or \r  shouldn't happen in any case
++        if (isToken2(value)) {
++            buf.append(value);
++        } else {
++            buf.append('"');
++            buf.append(escapeDoubleQuotes(value));
++            buf.append('"');
++        }
++    }
++
++
+     // log
+     static final int dbg=1;
+     public static void log(String s ) {
+ 	System.out.println("ServerCookie: " + s);
++    }
++
++    /**
++     * Escapes any double quotes in the given string.
++     *
++     * @param s the input string
++     *
++     * @return The (possibly) escaped string
++     */
++    private static String escapeDoubleQuotes(String s) {
++
++        if (s == null || s.length() == 0 || s.indexOf('"') == -1) {
++            return s;
++        }
++
++        StringBuffer b = new StringBuffer();
++        char p = s.charAt(0);
++        for (int i = 0; i < s.length(); i++) {
++            char c = s.charAt(i);
++            if (c == '"' && p != '\\')
++                b.append('\\').append('"');
++            else
++                b.append(c);
++            p = c;
++        }
++
++        return b.toString();
+     }
+ 
+ }
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java	2007-08-24 11:23:52.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java	2007-08-24 11:43:55.000000000 +0200
+@@ -243,9 +243,11 @@
+ 	    
+ 	    // quote is valid only in version=1 cookies
+ 	    cc=bytes[pos];
+-	    if( ( version == 1 || isSpecial ) && ( cc== '\'' || cc=='"' ) ) {
+-		startValue++;
+-		endValue=indexOf( bytes, startValue, end, cc );
++	    if( ( version == 1 || isSpecial ) && ( cc== '"' ) ) {
++                endValue=findDelim3( bytes, startValue+1, end, cc );
++                if (endValue == -1) {
++                    endValue = findDelim2(bytes, startValue+1, end);
++                } else startValue++;
+ 		pos=endValue+1; // to skip to next cookie
+  	    } else {
+ 		endValue=findDelim2( bytes, startValue, end );
+@@ -321,28 +323,26 @@
+ 	return off;
+     }
+ 
+-    public static int indexOf( byte bytes[], int off, int end, byte qq )
++    /*
++     *  search for cc but skip \cc as required by rfc2616
++     *  (according to rfc2616 cc should be ")
++     */
++    public static int findDelim3( byte bytes[], int off, int end, byte cc )
+     {
+-	while( off < end ) {
+-	    byte b=bytes[off];
+-	    if( b==qq )
+-		return off;
+-	    off++;
+-	}
+-	return off;
++        while( off < end ) {
++            byte b=bytes[off];
++            if (b=='\\') {
++                off++;
++                off++;
++                continue;
++            }
++            if( b==cc )
++                return off;
++            off++;
++        }
++        return -1;
+     }
+ 
+-    public static int indexOf( byte bytes[], int off, int end, char qq )
+-    {
+-	while( off < end ) {
+-	    byte b=bytes[off];
+-	    if( b==qq )
+-		return off;
+-	    off++;
+-	}
+-	return off;
+-    }
+-    
+     // XXX will be refactored soon!
+     public static boolean equals( String s, byte b[], int start, int end) {
+ 	int blen = end-start;

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5333.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,965 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java	2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteRequest.java	2009-04-21 09:41:12.000000000 +0200
+@@ -2312,6 +2312,22 @@
+         }
+     }
+ 
++    protected String unescape(String s) {
++        if (s==null) return null;
++        if (s.indexOf('\\') == -1) return s;
++        StringBuffer buf = new StringBuffer();
++        for (int i=0; i<s.length(); i++) {
++            char c = s.charAt(i);
++            if (c!='\\') buf.append(c);
++            else {
++                if (++i >= s.length()) throw new IllegalArgumentException();//invalid escape, hence invalid cookie
++                c = s.charAt(i);
++                buf.append(c);
++            }
++        }
++        return buf.toString();
++    }
++    
+     /**
+      * Parse cookies.
+      */
+@@ -2330,14 +2346,18 @@
+         for (int i = 0; i < count; i++) {
+             ServerCookie scookie = serverCookies.getCookie(i);
+             try {
+-                Cookie cookie = new Cookie(scookie.getName().toString(),
+-                                           scookie.getValue().toString());
+-                cookie.setPath(scookie.getPath().toString());
+-                cookie.setVersion(scookie.getVersion());
++                /*
++                we must unescape the '\\' escape character
++                */
++                Cookie cookie = new Cookie(scookie.getName().toString(),null);
++                int version = scookie.getVersion();
++                cookie.setVersion(version);
++                cookie.setValue(unescape(scookie.getValue().toString()));
++                cookie.setPath(unescape(scookie.getPath().toString()));
+                 String domain = scookie.getDomain().toString();
+-                if (domain != null) {
+-                    cookie.setDomain(scookie.getDomain().toString());
+-                }
++                if (domain!=null) cookie.setDomain(unescape(domain));//avoid NPE
++                String comment = scookie.getComment().toString();
++                cookie.setComment(version==1?unescape(comment):null);
+                 cookies[idx++] = cookie;
+             } catch(IllegalArgumentException e) {
+                 // Ignore bad cookie
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteResponse.java	2004-11-24 17:55:18.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteResponse.java	2009-04-21 09:41:12.000000000 +0200
+@@ -932,9 +932,9 @@
+         if (included)
+             return;
+ 
+-        cookies.add(cookie);
+-
+         final StringBuffer sb = new StringBuffer();
++        //web application code can receive a IllegalArgumentException 
++        //from the appendCookieValue invokation
+         if (SecurityUtil.isPackageProtectionEnabled()) {
+             AccessController.doPrivileged(new PrivilegedAction() {
+                 public Object run(){
+@@ -953,11 +953,13 @@
+                      cookie.getMaxAge(), cookie.getSecure());
+         }
+ 
++        // if we reached here, no exception, cookie is valid
+         // the header name is Set-Cookie for both "old" and v.1 ( RFC2109 )
+         // RFC2965 is not supported by browsers and the Servlet spec
+         // asks for 2109.
+         addHeader("Set-Cookie", sb.toString());
+ 
++        cookies.add(cookie);
+     }
+ 
+ 
+--- jakarta-tomcat-catalina/webapps/docs/changelog.xml	2004-11-24 17:55:37.000000000 +0100
++++ jakarta-tomcat-catalina/webapps/docs/changelog.xml	2009-04-21 09:56:50.000000000 +0200
+@@ -79,6 +79,18 @@
+       <fix>
+         <bug>32269</bug>: JNDIRealm fails with InvalidNameException to authenticate users if LDAP distinguished name (DN) contains slash or double quote character(s). (yoavs)
+       </fix>
++      <fix>
++        Cookie handling/parsing changes!
++        The following behavior has been changed with regards to Tomcat's cookie
++        handling:<br/>
++        a) Cookies containing control characters, except 0x09(HT), are rejected
++        using an InvalidArgumentException.<br/>
++        b) If cookies are not quoted, they will be quoted if they contain
++        <code>tspecials(ver0)</code> or <code>tspecials2(ver1)</code>
++        characters.<br/>
++        c) Escape character '\\' is allowed and respected as a escape character,
++        and will be unescaped during parsing.
++      </fix>
+     </changelog>
+   </subsection>
+ 
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java	2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/Cookies.java	2009-04-20 17:49:17.000000000 +0200
+@@ -41,6 +41,27 @@
+     boolean unprocessed=true;
+ 
+     MimeHeaders headers;
++
++    /*
++    List of Separator Characters (see isSeparator())
++    Excluding the '/' char violates the RFC, but 
++    it looks like a lot of people put '/'
++    in unquoted values: '/': ; //47 
++    '\t':9 ' ':32 '\"':34 '\'':39 '(':40 ')':41 ',':44 ':':58 ';':59 '<':60 
++    '=':61 '>':62 '?':63 '@':64 '[':91 '\\':92 ']':93 '{':123 '}':125
++    */
++    public static final char SEPARATORS[] = { '\t', ' ', '\"', '\'', '(', ')', ',', 
++        ':', ';', '<', '=', '>', '?', '@', '[', '\\', ']', '{', '}' };
++
++    protected static final boolean separators[] = new boolean[128];
++    static {
++        for (int i = 0; i < 128; i++) {
++            separators[i] = false;
++        }
++        for (int i = 0; i < SEPARATORS.length; i++) {
++            separators[SEPARATORS[i]] = true;
++        }
++    }
+     
+     /**
+      *  Construct a new cookie collection, that will extract
+@@ -175,174 +196,6 @@
+ 	}
+     }
+ 
+-    /** Process a byte[] header - allowing fast processing of the
+-     *  raw data
+-     */
+-    void processCookieHeader(  byte bytes[], int off, int len )
+-    {
+-	if( len<=0 || bytes==null ) return;
+-	int end=off+len;
+-	int pos=off;
+-	
+-	int version=0; //sticky
+-	ServerCookie sc=null;
+-	
+-
+-	while( pos<end ) {
+-	    byte cc;
+-	    // [ skip_spaces name skip_spaces "=" skip_spaces value EXTRA ; ] *
+-	    if( dbg>0 ) log( "Start: " + pos + " " + end );
+-	    
+-	    pos=skipSpaces(bytes, pos, end);
+-	    if( pos>=end )
+-		return; // only spaces
+-	    int startName=pos;
+-	    if( dbg>0 ) log( "SN: " + pos );
+-	    
+-	    // Version should be the first token
+-	    boolean isSpecial=false;
+-	    if(bytes[pos]=='$') { pos++; isSpecial=true; }
+-
+-	    pos= findDelim1( bytes, startName, end); // " =;,"
+-	    int endName=pos;
+-	    // current = "=" or " " or DELIM
+-	    pos= skipSpaces( bytes, endName, end ); 
+-	    if( dbg>0 ) log( "DELIM: " + endName + " " + (char)bytes[pos]);
+-
+-	    if(pos >= end ) {
+-		// it's a name-only cookie ( valid in RFC2109 )
+-		if( ! isSpecial ) {
+-		    sc=addCookie();
+-		    sc.getName().setBytes( bytes, startName,
+-					   endName-startName );
+-		    sc.getValue().setString("");
+-		    sc.setVersion( version );
+-		    if( dbg>0 ) log( "Name only, end: " + startName + " " +
+-				     endName);
+-		}
+-		return;
+-	    }
+-
+-	    cc=bytes[pos];
+-	    pos++;
+-	    if( cc==';' || cc==',' ) {
+-		if( ! isSpecial && startName!= endName ) {
+-		    sc=addCookie();
+-		    sc.getName().setBytes( bytes, startName,
+-					   endName-startName );
+-		    sc.getValue().setString("");
+-		    sc.setVersion( version );
+-		    if( dbg>0 ) log( "Name only: " + startName + " " + endName);
+-		}
+-		continue;
+-	    }
+-	    
+-	    // we should have "=" ( tested all other alternatives )
+-	    int startValue=skipSpaces( bytes, pos, end);
+-	    int endValue=startValue;
+-	    
+-	    // quote is valid only in version=1 cookies
+-	    cc=bytes[pos];
+-	    if( ( version == 1 || isSpecial ) && ( cc== '"' ) ) {
+-                endValue=findDelim3( bytes, startValue+1, end, cc );
+-                if (endValue == -1) {
+-                    endValue = findDelim2(bytes, startValue+1, end);
+-                } else startValue++;
+-		pos=endValue+1; // to skip to next cookie
+- 	    } else {
+-		endValue=findDelim2( bytes, startValue, end );
+-		pos=endValue+1;
+-	    }
+-	    
+-	    // if not $Version, etc
+-	    if( ! isSpecial ) {
+-		sc=addCookie();
+-		sc.getName().setBytes( bytes, startName, endName-startName );
+-		sc.getValue().setBytes( bytes, startValue, endValue-startValue);
+-		sc.setVersion( version );
+-		if( dbg>0 ) log( "New: " + sc.getName() + "X=X" + sc.getValue());
+-		continue;
+-	    }
+-	    
+-	    // special - Path, Version, Domain, Port
+-	    if( dbg>0 ) log( "Special: " + startName + " " + endName);
+-	    // XXX TODO
+-	    if( equals( "$Version", bytes, startName, endName ) ) {
+-		if(dbg>0 ) log( "Found version " );
+-		if( bytes[startValue]=='1' && endValue==startValue+1 ) {
+-		    version=1;
+-		    if(dbg>0 ) log( "Found version=1" );
+-		}
+-		continue;
+-	    }
+-	    if( sc==null ) {
+-		// Path, etc without a previous cookie
+-		continue;
+-	    }
+-	    if( equals( "$Path", bytes, startName, endName ) ) {
+-		sc.getPath().setBytes( bytes, startValue, endValue-startValue );
+-	    }
+-	    if( equals( "$Domain", bytes, startName, endName ) ) {
+-		sc.getDomain().setBytes( bytes, startValue, endValue-startValue );
+-	    }
+-	    if( equals( "$Port", bytes, startName, endName ) ) {
+-		// sc.getPort().setBytes( bytes, startValue, endValue-startValue );
+-	    }
+-	}
+-    }
+-
+-    // -------------------- Utils --------------------
+-    public static int skipSpaces(  byte bytes[], int off, int end ) {
+-	while( off < end ) {
+-	    byte b=bytes[off];
+-	    if( b!= ' ' ) return off;
+-	    off ++;
+-	}
+-	return off;
+-    }
+-
+-    public static int findDelim1( byte bytes[], int off, int end )
+-    {
+-	while( off < end ) {
+-	    byte b=bytes[off];
+-	    if( b==' ' || b=='=' || b==';' || b==',' )
+-		return off;
+-	    off++;
+-	}
+-	return off;
+-    }
+-
+-    public static int findDelim2( byte bytes[], int off, int end )
+-    {
+-	while( off < end ) {
+-	    byte b=bytes[off];
+-	    if( b==';' || b==',' )
+-		return off;
+-	    off++;
+-	}
+-	return off;
+-    }
+-
+-    /*
+-     *  search for cc but skip \cc as required by rfc2616
+-     *  (according to rfc2616 cc should be ")
+-     */
+-    public static int findDelim3( byte bytes[], int off, int end, byte cc )
+-    {
+-        while( off < end ) {
+-            byte b=bytes[off];
+-            if (b=='\\') {
+-                off++;
+-                off++;
+-                continue;
+-            }
+-            if( b==cc )
+-                return off;
+-            off++;
+-        }
+-        return -1;
+-    }
+-
+     // XXX will be refactored soon!
+     public static boolean equals( String s, byte b[], int start, int end) {
+ 	int blen = end-start;
+@@ -398,7 +251,7 @@
+     /**
+      *
+      * Strips quotes from the start and end of the cookie string
+-     * This conforms to RFC 2109
++     * This conforms to RFC 2965
+      * 
+      * @param value            a <code>String</code> specifying the cookie 
+      *                         value (possibly quoted).
+@@ -409,8 +262,7 @@
+     private static String stripQuote( String value )
+     {
+ 	//	log("Strip quote from " + value );
+-	if (((value.startsWith("\"")) && (value.endsWith("\""))) ||
+-	    ((value.startsWith("'") && (value.endsWith("'"))))) {
++	if (value.startsWith("\"") && value.endsWith("\"")) {
+ 	    try {
+ 		return value.substring(1,value.length()-1);
+ 	    } catch (Exception ex) { 
+@@ -426,42 +278,299 @@
+ 	System.out.println("Cookies: " + s);
+     }
+ 
+-    /*
+-    public static void main( String args[] ) {
+-	test("foo=bar; a=b");
+-	test("foo=bar;a=b");
+-	test("foo=bar;a=b;");
+-	test("foo=bar;a=b; ");
+-	test("foo=bar;a=b; ;");
+-	test("foo=;a=b; ;");
+-	test("foo;a=b; ;");
+-	// v1 
+-	test("$Version=1; foo=bar;a=b"); 
+-        test("$Version=\"1\"; foo='bar'; $Path=/path; $Domain=\"localhost\"");
+-	test("$Version=1;foo=bar;a=b; ; ");
+-	test("$Version=1;foo=;a=b; ; ");
+-	test("$Version=1;foo= ;a=b; ; ");
+-	test("$Version=1;foo;a=b; ; ");
+-	test("$Version=1;foo=\"bar\";a=b; ; ");
+-	test("$Version=1;foo=\"bar\";$Path=/examples;a=b; ; ");
+-	test("$Version=1;foo=\"bar\";$Domain=apache.org;a=b");
+-	test("$Version=1;foo=\"bar\";$Domain=apache.org;a=b;$Domain=yahoo.com");
+-	// rfc2965
+-	test("$Version=1;foo=\"bar\";$Domain=apache.org;$Port=8080;a=b");
+-
+-	// wrong
+-	test("$Version=1;foo=\"bar\";$Domain=apache.org;$Port=8080;a=b");
+-    }
+-
+-    public static void test( String s ) {
+-	System.out.println("Processing " + s );
+-	Cookies cs=new Cookies(null);
+-	cs.processCookieHeader( s.getBytes(), 0, s.length());
+-	for( int i=0; i< cs.getCookieCount() ; i++ ) {
+-	    System.out.println("Cookie: " + cs.getCookie( i ));
+-	}
+-	    
++  
++   /**
++     * Returns true if the byte is a separator character as
++     * defined in RFC2619. Since this is called often, this
++     * function should be organized with the most probable
++     * outcomes first.
++     */
++    public static final boolean isSeparator(final byte c) {
++         if (c > 0 && c < 126)
++             return separators[c];
++         else
++             return false;
+     }
+-    */
++    
++    /**
++     * Returns true if the byte is a whitespace character as
++     * defined in RFC2619.
++     */
++    public static final boolean isWhiteSpace(final byte c) {
++        // This switch statement is slightly slower
++        // for my vm than the if statement.
++        // Java(TM) 2 Runtime Environment, Standard Edition (build 1.5.0_07-164)
++        /* 
++        switch (c) {
++        case ' ':;
++        case '\t':;
++        case '\n':;
++        case '\r':;
++        case '\f':;
++            return true;
++        default:;
++            return false;
++             }
++        */
++       if (c == ' ' || c == '\t' || c == '\n' || c == '\r' || c == '\f')
++           return true;
++       else
++           return false;
++    }
++
++    /**
++     * Parses a cookie header after the initial "Cookie:"
++     * [WS][$]token[WS]=[WS](token|QV)[;|,]
++     * RFC 2965
++     * JVK
++     */
++    public final void processCookieHeader(byte bytes[], int off, int len){
++        if( len<=0 || bytes==null ) return;
++        int end=off+len;
++        int pos=off;
++        int nameStart=0;
++        int nameEnd=0;
++        int valueStart=0;
++        int valueEnd=0;
++        int version = 0;
++        ServerCookie sc=null;
++        boolean isSpecial;
++        boolean isQuoted;
++
++        while (pos < end) {
++            isSpecial = false;
++            isQuoted = false;
++
++            // Skip whitespace and non-token characters (separators)
++            while (pos < end && 
++                   (isSeparator(bytes[pos]) || isWhiteSpace(bytes[pos]))) 
++                {pos++; } 
++
++            if (pos >= end)
++                return;
++
++            // Detect Special cookies
++            if (bytes[pos] == '$') {
++                isSpecial = true;
++                pos++;
++            }
+ 
++            // Get the cookie name. This must be a token            
++            valueEnd = valueStart = nameStart = pos; 
++            pos = nameEnd = getTokenEndPosition(bytes,pos,end);
++
++            // Skip whitespace
++            while (pos < end && isWhiteSpace(bytes[pos])) {pos++; }; 
++         
++
++            // Check for an '=' -- This could also be a name-only
++            // cookie at the end of the cookie header, so if we
++            // are past the end of the header, but we have a name
++            // skip to the name-only part.
++            if (pos < end && bytes[pos] == '=') {                
++
++                // Skip whitespace
++                do {
++                    pos++;
++                } while (pos < end && isWhiteSpace(bytes[pos])); 
++
++                if (pos >= end)
++                    return;
++
++                // Determine what type of value this is, quoted value,
++                // token, name-only with an '=', or other (bad)
++                switch (bytes[pos]) {
++                case '"':; // Quoted Value
++                    isQuoted = true;
++                    valueStart=pos + 1; // strip "
++                    // getQuotedValue returns the position before 
++                    // at the last qoute. This must be dealt with
++                    // when the bytes are copied into the cookie
++                    valueEnd=getQuotedValueEndPosition(bytes, 
++                                                       valueStart, end);
++                    // We need pos to advance
++                    pos = valueEnd; 
++                    // Handles cases where the quoted value is 
++                    // unterminated and at the end of the header, 
++                    // e.g. [myname="value]
++                    if (pos >= end)
++                         return;
++                     break;
++                 case ';':
++                 case ',':
++                     // Name-only cookie with an '=' after the name token
++                     // This may not be RFC compliant
++                     valueStart = valueEnd = -1;
++                     // The position is OK (On a delimiter)
++                     break;
++                 default:;
++                     if (!isSeparator(bytes[pos])) {
++                         // Token
++                         valueStart=pos;
++                         // getToken returns the position at the delimeter
++                         // or other non-token character
++                         valueEnd=getTokenEndPosition(bytes, valueStart, end);
++                         // We need pos to advance
++                         pos = valueEnd;
++                     } else  {
++                         // INVALID COOKIE, advance to next delimiter
++                         // The starting character of the cookie value was
++                         // not valid.
++                         log("Invalid cookie. Value not a token or quoted value");
++                         while (pos < end && bytes[pos] != ';' && 
++                                bytes[pos] != ',') 
++                             {pos++; };
++                         pos++;
++                         // Make sure no special avpairs can be attributed to 
++                         // the previous cookie by setting the current cookie
++                         // to null
++                         sc = null;
++                         continue;                        
++                     }
++                 }
++             } else {
++                 // Name only cookie
++                 valueStart = valueEnd = -1;
++                 pos = nameEnd;
++ 
++             }
++           
++             // We should have an avpair or name-only cookie at this
++             // point. Perform some basic checks to make sure we are
++             // in a good state.
++   
++             // Skip whitespace
++             while (pos < end && isWhiteSpace(bytes[pos])) {pos++; }; 
++ 
++ 
++             // Make sure that after the cookie we have a separator. This
++             // is only important if this is not the last cookie pair
++             while (pos < end && bytes[pos] != ';' && bytes[pos] != ',') { 
++                 pos++;
++             }
++                  
++             pos++;
++ 
++             /*
++             if (nameEnd <= nameStart || valueEnd < valueStart ) {
++                 // Something is wrong, but this may be a case
++                 // of having two ';' characters in a row.
++                 // log("Cookie name/value does not conform to RFC 2965");
++                 // Advance to next delimiter (ignoring everything else)
++                 while (pos < end && bytes[pos] != ';' && bytes[pos] != ',') 
++                     { pos++; };
++                 pos++;
++                 // Make sure no special cookies can be attributed to 
++                 // the previous cookie by setting the current cookie
++                 // to null
++                 sc = null;
++                 continue;
++             }
++             */
++ 
++             // All checks passed. Add the cookie, start with the 
++             // special avpairs first
++             if (isSpecial) {
++                 isSpecial = false;
++                 // $Version must be the first avpair in the cookie header
++                 // (sc must be null)
++                 if (equals( "Version", bytes, nameStart, nameEnd) && 
++                     sc == null) {
++                     // Set version
++                     if( bytes[valueStart] =='1' && valueEnd == (valueStart+1)) {
++                         version=1;
++                     } else {
++                         // unknown version (Versioning is not very strict)
++                     }
++                     continue;
++                 } 
++                 
++                 // We need an active cookie for Path/Port/etc.
++                 if (sc == null) {
++                     continue;
++                 }
++ 
++                 // Domain is more common, so it goes first
++                 if (equals( "Domain", bytes, nameStart, nameEnd)) {
++                     sc.getDomain().setBytes( bytes,
++                                            valueStart,
++                                            valueEnd-valueStart);
++                     continue;
++                 } 
++ 
++                 if (equals( "Path", bytes, nameStart, nameEnd)) {
++                     sc.getPath().setBytes( bytes,
++                                            valueStart,
++                                            valueEnd-valueStart);
++                     continue;
++                 } 
++ 
++ 
++                 if (equals( "Port", bytes, nameStart, nameEnd)) {
++                     // sc.getPort is not currently implemented.
++                     // sc.getPort().setBytes( bytes,
++                     //                        valueStart,
++                     //                        valueEnd-valueStart );
++                     continue;
++                 } 
++ 
++                 // Unknown cookie, complain
++                 log("Unknown Special Cookie");
++ 
++             } else { // Normal Cookie
++                 sc = addCookie();
++                 sc.setVersion( version );
++                 sc.getName().setBytes( bytes, nameStart,
++                                        nameEnd-nameStart);
++                 
++                 if (valueStart != -1) { // Normal AVPair
++                     sc.getValue().setBytes( bytes, valueStart,
++                             valueEnd-valueStart);
++                     if (isQuoted) {
++                         // We know this is a byte value so this is safe
++                         ServerCookie.unescapeDoubleQuotes(
++                                 sc.getValue().getByteChunk());
++                     }                    
++                 } else {
++                     // Name Only
++                     sc.getValue().setString(""); 
++                 }
++                 continue;
++             }
++          }
++      }
++  
++     /**
++      * Given the starting position of a token, this gets the end of the
++      * token, with no separator characters in between.
++      * JVK
++      */
++     public static final int getTokenEndPosition(byte bytes[], int off, int end){
++         int pos = off;
++         while (pos < end && !isSeparator(bytes[pos])) {pos++; };
++         
++         if (pos > end)
++             return end;
++         return pos;
++     }
++ 
++     /** 
++      * Given a starting position after an initial quote chracter, this gets
++      * the position of the end quote. This escapes anything after a '\' char
++      * JVK RFC 2616
++      */
++     public static final int getQuotedValueEndPosition(byte bytes[], int off, int end){
++         int pos = off;
++         while (pos < end) {
++             if (bytes[pos] == '"') {
++                 return pos;                
++             } else if (bytes[pos] == '\\' && pos < (end - 1)) {
++                 pos+=2;
++             } else {
++                 pos++;
++             }
++         }
++         // Error, we have reached the end of the header w/o a end quote
++         return end;
++     }
+ }
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java	2009-04-20 17:29:42.000000000 +0200
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/http/ServerCookie.java	2009-04-20 18:34:27.000000000 +0200
+@@ -16,6 +16,7 @@
+ 
+ package org.apache.tomcat.util.http;
+ 
++import org.apache.tomcat.util.buf.ByteChunk;
+ import org.apache.tomcat.util.buf.MessageBytes;
+ import org.apache.tomcat.util.buf.DateTool;
+ import java.text.*;
+@@ -47,6 +48,9 @@
+     private int version = 0;	// ;Version=1
+ 
+     //XXX CommentURL, Port -> use notes ?
++
++    public static final boolean VERSION_SWITCH =
++        Boolean.valueOf(System.getProperty("org.apache.tomcat.util.http.ServerCookie.VERSION_SWITCH", "true")).booleanValue();
+     
+     public ServerCookie() {
+ 
+@@ -80,7 +84,6 @@
+ 	return maxAge;
+     }
+ 
+-
+     public MessageBytes getPath() {
+ 	return path;
+     }
+@@ -105,7 +108,6 @@
+ 	return version;
+     }
+ 
+-
+     public void setVersion(int v) {
+ 	version = v;
+     }
+@@ -122,8 +124,9 @@
+     // from RFC 2068, token special case characters
+     //
+     // private static final String tspecials = "()<>@,;:\\\"/[]?={} \t";
+-    private static final String tspecials = ",;";
+-    private static final String tspecials2 = ",; \"";
++    private static final String tspecials = ",; ";
++    private static final String tspecials2 = "()<>@,;:\\\"/[]?={} \t";
++    private static final String tspecials2NoSlash = "()<>@,;:\\\"[]?={} \t";
+ 
+     /*
+      * Tests a string and returns true if the string counts as a
+@@ -136,26 +139,52 @@
+      *				if it is not
+      */
+     public static boolean isToken(String value) {
++        return isToken(value,null);
++    }
++    
++    public static boolean isToken(String value, String literals) {
++        String tspecials = (literals==null?ServerCookie.tspecials:literals);
++
+ 	if( value==null) return true;
+ 	int len = value.length();
+ 
+ 	for (int i = 0; i < len; i++) {
+ 	    char c = value.charAt(i);
+ 
+-	    if (c < 0x20 || c >= 0x7f || tspecials.indexOf(c) != -1)
++	    if (tspecials.indexOf(c) != -1)
+ 		return false;
+ 	}
+ 	return true;
+     }
+ 
++    public static boolean containsCTL(String value, int version) {
++        if( value==null) return false;
++        int len = value.length();
++        for (int i = 0; i < len; i++) {
++            char c = value.charAt(i);
++            if (c < 0x20 || c >= 0x7f) {
++                if (c == 0x09)
++                    continue; //allow horizontal tabs
++                return true;
++            }
++        }
++        return false;
++    }
++
+     public static boolean isToken2(String value) {
++        return isToken2(value,null);
++    }
++
++    public static boolean isToken2(String value, String literals) {
++        String tspecials2 = (literals==null?ServerCookie.tspecials2:literals);
++
+         if( value==null) return true;
+         int len = value.length();
+ 
+         for (int i = 0; i < len; i++) {
+             char c = value.charAt(i);
+ 
+-            if (c < 0x20 || c >= 0x7f || tspecials2.indexOf(c) != -1)
++            if (tspecials2.indexOf(c) != -1)
+                 return false;
+         }
+         return true;
+@@ -181,8 +210,8 @@
+     // -------------------- Cookie parsing tools
+ 
+     
+-    /** Return the header name to set the cookie, based on cookie
+-     *  version
++    /**
++     * Return the header name to set the cookie, based on cookie version.
+      */
+     public String getCookieHeaderName() {
+ 	return getCookieHeaderName(version);
+@@ -192,7 +221,6 @@
+      *  version
+      */
+     public static String getCookieHeaderName(int version) {
+-	if( dbg>0 ) log( (version==1) ? "Set-Cookie2" : "Set-Cookie");
+         if (version == 1) {
+ 	    // RFC2109
+ 	    return "Set-Cookie";
+@@ -208,7 +236,7 @@
+ 
+     private static final String ancientDate=DateTool.formatOldCookie(new Date(10000));
+ 
+-    public static void appendCookieValue( StringBuffer buf,
++    public static void appendCookieValue( StringBuffer headerBuf,
+ 					  int version,
+ 					  String name,
+ 					  String value,
+@@ -219,9 +247,10 @@
+ 					  boolean isSecure )
+     {
+         // this part is the same for all cookies
++        StringBuffer buf = new StringBuffer();
+ 	buf.append( name );
+         buf.append("=");
+-        maybeQuote2(version, buf, value);
++        version = maybeQuote2(version, buf, value, true);
+ 
+ 	// XXX Netscape cookie: "; "
+  	// add version 1 specific information
+@@ -232,7 +261,7 @@
+ 	    // Comment=comment
+ 	    if ( comment!=null ) {
+ 		buf.append ("; Comment=");
+-		maybeQuote (version, buf, comment);
++		maybeQuote2 (version, buf, comment);
+ 	    }
+ 	}
+ 	
+@@ -240,7 +269,7 @@
+ 
+ 	if (domain!=null) {
+ 	    buf.append("; Domain=");
+-	    maybeQuote (version, buf, domain);
++	    maybeQuote2 (version, buf, domain);
+ 	}
+ 
+ 	// Max-Age=secs/Discard ... or use old "Expires" format
+@@ -269,14 +298,18 @@
+ 	// Path=path
+ 	if (path!=null) {
+ 	    buf.append ("; Path=");
+-	    maybeQuote (version, buf, path);
++            if (version==0) {
++                maybeQuote2(version, buf, path);
++            } else {
++                maybeQuote2(version, buf, path, ServerCookie.tspecials2NoSlash, false);
++            }
+ 	}
+ 
+ 	// Secure
+ 	if (isSecure) {
+ 	  buf.append ("; Secure");
+ 	}
+-	
++        headerBuf.append(buf);
+ 	
+     }
+ 
+@@ -291,25 +324,52 @@
+ 		throw new IllegalArgumentException( value );
+ 	    else {
+ 		buf.append ('"');
+-		buf.append (escapeDoubleQuotes(value));
++		buf.append(escapeDoubleQuotes(value,0,value.length()));
+ 		buf.append ('"');
+ 	    }
+ 	}
+     }
+ 
+-    public static void maybeQuote2 (int version, StringBuffer buf,
+-            String value) {
+-        // special case - a \n or \r  shouldn't happen in any case
+-        if (isToken2(value)) {
+-            buf.append(value);
+-        } else {
++    public static boolean alreadyQuoted (String value) {
++        if (value==null || value.length()==0) return false;
++        return (value.charAt(0)=='\"' && value.charAt(value.length()-1)=='\"');
++    }
++
++    public static int maybeQuote2(int version, StringBuffer buf, String value) {
++        return maybeQuote2(version,buf,value,false);
++    }
++    public static int maybeQuote2 (int version, StringBuffer buf, String value, boolean allowVersionSwitch) {
++        return maybeQuote2(version,buf,value,null,allowVersionSwitch);
++    }
++
++    public static int maybeQuote2 (int version, StringBuffer buf, String value, String literals, boolean allowVersionSwitch) {
++        if (value==null || value.length()==0) {
++            buf.append("\"\"");
++        } else if (containsCTL(value,version))
++            throw new IllegalArgumentException("Control character in cookie value, consider BASE64 encoding your value");
++        else if (alreadyQuoted(value)) {
++            buf.append('"');
++            buf.append(escapeDoubleQuotes(value,1,value.length()-1));
++            buf.append('"');
++        } else if (allowVersionSwitch && VERSION_SWITCH && version==0 && !isToken2(value, literals)) {
+             buf.append('"');
+-            buf.append(escapeDoubleQuotes(value));
++            buf.append(escapeDoubleQuotes(value,0,value.length()));
+             buf.append('"');
++            version = 1;
++        } else if (version==0 && !isToken(value, literals)) {
++            buf.append('"');
++            buf.append(escapeDoubleQuotes(value,0,value.length()));
++            buf.append('"');
++        } else if (version==1 && !isToken2(value, literals)) {
++            buf.append('"');
++            buf.append(escapeDoubleQuotes(value,0,value.length()));
++            buf.append('"');
++        } else {
++            buf.append(value);
+         }
++        return version;
+     }
+ 
+-
+     // log
+     static final int dbg=1;
+     public static void log(String s ) {
+@@ -323,25 +383,55 @@
+      *
+      * @return The (possibly) escaped string
+      */
+-    private static String escapeDoubleQuotes(String s) {
++    private static String escapeDoubleQuotes(String s, int beginIndex,
++            int endIndex) {
+ 
+         if (s == null || s.length() == 0 || s.indexOf('"') == -1) {
+             return s;
+         }
+ 
+         StringBuffer b = new StringBuffer();
+-        char p = s.charAt(0);
+-        for (int i = 0; i < s.length(); i++) {
++        for (int i = beginIndex; i < endIndex; i++) {
+             char c = s.charAt(i);
+-            if (c == '"' && p != '\\')
++            if (c == '\\' ) {
++                b.append(c);
++                //ignore the character after an escape, just append it
++                if (++i>=endIndex) throw new IllegalArgumentException("Invalid escape character in cookie value.");
++                b.append(s.charAt(i));
++            } else if (c == '"')
+                 b.append('\\').append('"');
+             else
+                 b.append(c);
+-            p = c;
+         }
+ 
+         return b.toString();
+     }
++    /**
++     * Unescapes any double quotes in the given cookie value.
++     *
++     * @param bc The cookie value to modify
++     */
++    public static void unescapeDoubleQuotes(ByteChunk bc) {
++
++        if (bc == null || bc.getLength() == 0 || bc.indexOf('"', 0) == -1) {
++            return;
++        }
++
++        int src = bc.getStart();
++        int end = bc.getEnd();
++        int dest = src;
++        byte[] buffer = bc.getBuffer();
++
++        while (src < end) {
++            if (buffer[src] == '\\' && src < end && buffer[src+1]  == '"') {
++                src++;
++            }
++            buffer[dest] = buffer[src];
++            dest ++;
++            src ++;
++        }
++        bc.setEnd(dest);
++    }
+ 
+ }
+ 

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2007-5461.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,72 @@
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java.sav	2004-11-24 11:55:13.000000000 -0500
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java	2007-10-22 22:34:40.000000000 -0400
+@@ -19,6 +19,7 @@
+ 
+ 
+ import java.io.IOException;
++import java.io.StringReader;
+ import java.io.StringWriter;
+ import java.io.Writer;
+ import java.text.SimpleDateFormat;
+@@ -33,6 +34,7 @@
+ import javax.naming.NamingEnumeration;
+ import javax.naming.NamingException;
+ import javax.naming.directory.DirContext;
++import javax.servlet.ServletContext;
+ import javax.servlet.ServletException;
+ import javax.servlet.http.HttpServletRequest;
+ import javax.servlet.http.HttpServletResponse;
+@@ -49,6 +51,7 @@
+ import org.w3c.dom.Element;
+ import org.w3c.dom.Node;
+ import org.w3c.dom.NodeList;
++import org.xml.sax.EntityResolver;
+ import org.xml.sax.InputSource;
+ import org.xml.sax.SAXException;
+ 
+@@ -219,6 +222,8 @@
+             documentBuilderFactory = DocumentBuilderFactory.newInstance();
+             documentBuilderFactory.setNamespaceAware(true);
+             documentBuilder = documentBuilderFactory.newDocumentBuilder();
++            documentBuilder.setEntityResolver(
++                    new WebdavResolver(this.getServletContext()));
+         } catch(ParserConfigurationException e) {
+             throw new ServletException
+                 (sm.getString("webdavservlet.jaxpfailed"));
+@@ -2716,6 +2721,26 @@
+     }
+ 
+ 
++    // --------------------------------------------- WebdavResolver Inner Class
++    /**
++     * Work around for XML parsers that don't fully respect
++     * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
++     * references are filtered out for security reasons. See CVE-2007-5461.
++     */
++    private class WebdavResolver implements EntityResolver {
++        private ServletContext context;
++        
++        public WebdavResolver(ServletContext theContext) {
++            context = theContext;
++        }
++     
++        public InputSource resolveEntity (String publicId, String systemId) {
++            context.log(sm.getString("webdavservlet.enternalEntityIgnored",
++                    publicId, systemId));
++            return new InputSource(
++                    new StringReader("Ignored external entity"));
++        }
++    }
+ };
+ 
+ 
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties.sav	2007-10-22 21:01:54.000000000 -0400
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties	2007-10-22 21:02:09.000000000 -0400
+@@ -9,6 +9,7 @@
+ invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
+ invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
+ webdavservlet.jaxpfailed=JAXP initialization failed
++webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
+ directory.filename=Filename
+ directory.lastModified=Last Modified
+ directory.parent=Up To {0}

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-0128.5.0.x.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,14 @@
+--- ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java	2004-11-24 17:55:07.000000000 +0100
++++ ./jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/authenticator/AuthenticatorBase.java	2008-04-04 15:53:59.000000000 +0200
+@@ -843,6 +843,11 @@
+             Cookie cookie = new Cookie(Constants.SINGLE_SIGN_ON_COOKIE, ssoId);
+             cookie.setMaxAge(-1);
+             cookie.setPath("/");
++
++            // Bugzilla 41217
++            javax.servlet.ServletRequest r = (javax.servlet.ServletRequest) request;
++            cookie.setSecure(r.isSecure());
++
+             hres.addCookie(cookie);
+ 
+             // Register this principal with our SSO valve

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-1232.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,89 @@
+--- jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Constants.java (original)
++++ jakarta-tomcat-connectors/coyote/src/java/org/apache/coyote/Constants.java Wed Jul 30 02:26:27 2008
+@@ -53,4 +53,12 @@
+     public static final int STAGE_ENDED = 7;
+ 
+ 
++    /**
++     * If true, custom HTTP status messages will be used in headers.
++     */
++    public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
++        Boolean.valueOf(System.getProperty(
++                "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER",
++                "false")).booleanValue();
++
+ }
+
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java (original)
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java Wed Jul 30 02:26:27 2008
+@@ -448,11 +448,14 @@
+         buf[pos++] = Constants.SP;
+ 
+         // Write message
+-        String message = response.getMessage();
++        String message = null;
++        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
++            message = response.getMessage();
++        } 
+         if (message == null) {
+             write(getMessage(status));
+         } else {
+-            write(message);
++            write(message.replace('\n', ' ').replace('\r', ' '));
+         }
+ 
+         // End the response status line
+
+--- jakarta-tomcat-connectors/jk/java/org/apache/jk/server/JkCoyoteHandler.java.org	2005-03-26 20:24:11.000000000 +0100
++++ jakarta-tomcat-connectors/jk/java/org/apache/jk/server/JkCoyoteHandler.java	2008-08-18 11:37:00.000000000 +0200
+@@ -363,7 +363,10 @@
+             mb=MessageBytes.newInstance();
+             ep.setNote( tmpMessageBytesNote, mb );
+         }
+-        String message=res.getMessage();
++        String message=null;
++        if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) {
++            message = res.getMessage();
++        }
+         if( message==null ){
+ 	    if( System.getSecurityManager() != null ) {
+ 		message = (String)AccessController.doPrivileged(
+
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/StandardContextValve.java
+@@ -115,8 +115,7 @@
+             || (requestPathMB.equalsIgnoreCase("/META-INF"))
+             || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0))
+             || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) {
+-            String requestURI = hreq.getDecodedRequestURI();
+-            notFound(requestURI, (HttpServletResponse) response.getResponse());
++            notFound((HttpServletResponse) response.getResponse());
+             return;
+         }
+ 
+@@ -132,8 +131,7 @@
+         // Select the Wrapper to be used for this Request
+         Wrapper wrapper = request.getWrapper();
+         if (wrapper == null) {
+-            String requestURI = hreq.getDecodedRequestURI();
+-            notFound(requestURI, (HttpServletResponse) response.getResponse());
++            notFound((HttpServletResponse) response.getResponse());
+             return;
+         }
+ 
+@@ -268,13 +266,12 @@
+      * application, but currently that code runs at the wrapper level rather
+      * than the context level.
+      *
+-     * @param requestURI The request URI for the requested resource
+      * @param response The response we are creating
+      */
+-    private void notFound(String requestURI, HttpServletResponse response) {
++    private void notFound(HttpServletResponse response) {
+ 
+         try {
+-            response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI);
++            response.sendError(HttpServletResponse.SC_NOT_FOUND);
+         } catch (IllegalStateException e) {
+             ;
+         } catch (IOException e) {

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2370.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,41 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (original)
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/core/ApplicationContext.java Wed Jul 30 02:34:21 2008
+@@ -379,10 +379,21 @@
+             throw new IllegalArgumentException
+                 (sm.getString
+                  ("applicationContext.requestDispatcher.iae", path));
++
++        // Get query string
++        String queryString = null;
++        int pos = path.indexOf('?');
++        if (pos >= 0) {
++            queryString = path.substring(pos + 1);
++            path = path.substring(0, pos); 
++        }
++ 
+         path = normalize(path);
+         if (path == null)
+             return (null);
+ 
++        pos = path.length();
++
+         // Retrieve the thread local URI
+         MessageBytes uriMB = (MessageBytes) localUriMB.get();
+         if (uriMB == null) {
+@@ -394,15 +405,6 @@
+             uriMB.recycle();
+         }
+ 
+-        // Get query string
+-        String queryString = null;
+-        int pos = path.indexOf('?');
+-        if (pos >= 0) {
+-            queryString = path.substring(pos + 1);
+-        } else {
+-            pos = path.length();
+-        }
+- 
+         // Retrieve the thread local mapping data
+         MappingData mappingData = (MappingData) localMappingData.get();
+         if (mappingData == null) {
+

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-2938.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,83 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java	2008-07-17 13:13:43 UTC (rev 717)
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/coyote/tomcat5/CoyoteAdapter.java	2008-07-17 17:43:56 UTC (rev 718)
+@@ -442,6 +442,12 @@
+             }
+             // Character decoding
+             convertURI(decodedURI, request);
++            // Check that the URI is still normalized
++            if (!checkNormalize(req.decodedURI())) {
++                res.setStatus(400);
++                res.setMessage("Invalid URI character encoding");
++                return false;
++            }
+         } else {
+             // The URL is chars or String, and has been sent using an in-memory
+             // protocol handler, we have to assume the URL has been properly
+@@ -821,6 +827,67 @@
+     }
+ 
+ 
++    /**
++     * Check that the URI is normalized following character decoding.
++     * <p>
++     * This method checks for "\", "//", "/./" and "/../". This method will
++     * return false if sequences that are supposed to be normalized still 
++     * present in the URI.
++     * 
++     * @param uriMB URI to be normalized
++     */
++    public static boolean checkNormalize(MessageBytes uriMB) {
++
++        CharChunk uriCC = uriMB.getCharChunk();
++        char[] c = uriCC.getChars();
++        int start = uriCC.getStart();
++        int end = uriCC.getEnd();
++
++        int pos = 0;
++
++        // Check for '\' and for null byte
++        for (pos = start; pos < end; pos++) {
++            if (c[pos] == '\\') {
++                return false;
++            }
++            if (c[pos] == 0) {
++                return false;
++            }
++        }
++
++        // Check for "//"
++        for (pos = start; pos < (end - 1); pos++) {
++            if (c[pos] == '/') {
++                if (c[pos + 1] == '/') {
++                    return false;
++                }
++            }
++        }
++
++        // Check for URI ending with "/." or "/.."
++        if (((end - start) >= 2) && (c[end - 1] == '.')) {
++            if ((c[end - 2] == '/') 
++                    || ((c[end - 2] == '.') 
++                    && (c[end - 3] == '/'))) {
++                return false;
++            }
++        }
++
++        // Check for "/./"
++        if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
++            return false;
++        }
++
++        // Check for "/./"
++        if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
++            return false;
++        }
++
++        return true;
++
++    }
++
++
+     // ------------------------------------------------------ Protected Methods
+ 
+ 

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-CVE-2008-3271.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,110 @@
+--- jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java.org	2008-10-28 17:33:08.000000000 +0100
++++ jakarta-tomcat-catalina/catalina/src/share/org/apache/catalina/valves/RequestFilterValve.java	2008-10-28 17:34:19.000000000 +0100
+@@ -30,6 +30,7 @@
+ import org.apache.catalina.ValveContext;
+ import org.apache.catalina.util.StringManager;
+ import org.apache.regexp.RE;
++import org.apache.regexp.REProgram;
+ import org.apache.regexp.RESyntaxException;
+ import org.apache.tomcat.util.compat.JdkCompat;
+ 
+@@ -104,15 +105,17 @@
+ 
+ 
+     /**
+-     * The set of <code>allow</code> regular expressions we will evaluate.
++     * The set of <code>allow</code> pre-compiled regular expressions we will
++     * evaluate.
+      */
+-    protected RE allows[] = new RE[0];
++    protected REProgram allows[] = new REProgram[0];
+ 
+ 
+     /**
+-     * The set of <code>deny</code> regular expressions we will evaluate.
++     * The set of <code>deny</code> pre-compiled regular expressions we will
++     * evaluate.
+      */
+-    protected RE denies[] = new RE[0];
++    protected REProgram denies[] = new REProgram[0];
+ 
+ 
+     /**
+@@ -210,32 +213,32 @@
+ 
+ 
+     /**
+-     * Return an array of regular expression objects initialized from the
+-     * specified argument, which must be <code>null</code> or a comma-delimited
+-     * list of regular expression patterns.
++     * Return an array of pre-compiled regular expression objects initialized
++     * from the specified argument, which must be <code>null</code> or a
++     * comma-delimited list of regular expression patterns.
+      *
+      * @param list The comma-separated list of patterns
+      *
+      * @exception IllegalArgumentException if one of the patterns has
+      *  invalid syntax
+      */
+-    protected RE[] precalculate(String list) {
++    protected REProgram[] precalculate(String list) {
+ 
+         if (list == null)
+-            return (new RE[0]);
++            return (new REProgram[0]);
+         list = list.trim();
+         if (list.length() < 1)
+-            return (new RE[0]);
++            return (new REProgram[0]);
+         list += ",";
+ 
+-        ArrayList reList = new ArrayList();
++        ArrayList reProgramList = new ArrayList();
+         while (list.length() > 0) {
+             int comma = list.indexOf(',');
+             if (comma < 0)
+                 break;
+             String pattern = list.substring(0, comma).trim();
+             try {
+-                reList.add(new RE(pattern));
++                reProgramList.add(new RE(pattern).getProgram());
+             } catch (RESyntaxException e) {
+                 IllegalArgumentException iae = new IllegalArgumentException
+                     (sm.getString("requestFilterValve.syntax", pattern));
+@@ -245,8 +248,8 @@
+             list = list.substring(comma + 1);
+         }
+ 
+-        RE reArray[] = new RE[reList.size()];
+-        return ((RE[]) reList.toArray(reArray));
++        REProgram reProgramArray[] = new REProgram[reProgramList.size()];
++        return ((REProgram[]) reProgramList.toArray(reProgramArray));
+ 
+     }
+ 
+@@ -269,9 +272,14 @@
+                            ValveContext context)
+         throws IOException, ServletException {
+ 
++        
++        // Create local RE since RE is not thread safe
++        RE re = new RE();
++        
+         // Check the deny patterns, if any
+         for (int i = 0; i < denies.length; i++) {
+-            if (denies[i].match(property)) {
++            re.setProgram(denies[i]);
++            if (re.match(property)) {
+                 ServletResponse sres = response.getResponse();
+                 if (sres instanceof HttpServletResponse) {
+                     HttpServletResponse hres = (HttpServletResponse) sres;
+@@ -283,7 +291,8 @@
+ 
+         // Check the allow patterns, if any
+         for (int i = 0; i < allows.length; i++) {
+-            if (allows[i].match(property)) {
++            re.setProgram(allows[i]);
++            if (re.match(property)) {
+                 context.invokeNext(request, response);
+                 return;
+             }

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-bootstrap.MF.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,8 @@
+--- jakarta-tomcat-5.0.30-src/jakarta-tomcat-catalina/catalina/etc/bootstrap.MF	2004-11-24 11:55:05.000000000 -0500
++++ jakarta-tomcat-5.0.30-src/jakarta-tomcat-catalina/catalina/etc/bootstrap.MF	2004-12-10 16:33:56.000000000 -0500
+@@ -1,5 +1,4 @@
+ Manifest-Version: 1.0
+ Main-Class: org.apache.catalina.startup.Bootstrap
+-Class-Path: jmx.jar commons-daemon.jar commons-logging-api.jar
+ Specification-Title: Catalina
+ Specification-Version: 1.0

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-javaxssl.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,52 @@
+--- jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java.orig	2004-06-17 21:11:40.000000000 -0400
++++ jakarta-tomcat-connectors/util/java/org/apache/tomcat/util/net/jsse/JSSE13SocketFactory.java	2004-12-07 15:21:53.000000000 -0500
+@@ -66,8 +66,8 @@
+      */
+      void init() throws IOException {
+         try {
+-            Security.addProvider (new sun.security.provider.Sun());
+-            Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
++            // Security.addProvider (new sun.security.provider.Sun());
++            // Security.addProvider (new com.sun.net.ssl.internal.ssl.Provider());
+ 
+             String clientAuthStr = (String)attributes.get("clientauth");
+             if("true".equalsIgnoreCase(clientAuthStr) || 
+@@ -85,8 +85,8 @@
+             if (algorithm == null) algorithm = defaultAlgorithm;
+ 
+             // Set up KeyManager, which will extract server key
+-            com.sun.net.ssl.KeyManagerFactory kmf = 
+-                com.sun.net.ssl.KeyManagerFactory.getInstance(algorithm);
++            javax.net.ssl.KeyManagerFactory kmf = 
++                javax.net.ssl.KeyManagerFactory.getInstance(algorithm);
+             String keystoreType = (String)attributes.get("keystoreType");
+             if (keystoreType == null) {
+                 keystoreType = defaultKeystoreType;
+@@ -96,22 +96,22 @@
+                      keystorePass.toCharArray());
+ 
+             // Set up TrustManager
+-            com.sun.net.ssl.TrustManager[] tm = null;
++            javax.net.ssl.TrustManager[] tm = null;
+             String truststoreType = (String)attributes.get("truststoreType");
+             if(truststoreType == null) {
+                 truststoreType = keystoreType;
+             }
+             KeyStore trustStore = getTrustStore(truststoreType);
+             if (trustStore != null) {
+-                com.sun.net.ssl.TrustManagerFactory tmf =
+-                    com.sun.net.ssl.TrustManagerFactory.getInstance("SunX509");
++                javax.net.ssl.TrustManagerFactory tmf =
++                    javax.net.ssl.TrustManagerFactory.getInstance("SunX509");
+                 tmf.init(trustStore);
+                 tm = tmf.getTrustManagers();
+             }
+ 
+             // Create and init SSLContext
+-            com.sun.net.ssl.SSLContext context = 
+-                com.sun.net.ssl.SSLContext.getInstance(protocol); 
++            javax.net.ssl.SSLContext context = 
++                javax.net.ssl.SSLContext.getInstance(protocol); 
+             context.init(kmf.getKeyManagers(), tm, new SecureRandom());
+ 
+             // Create proxy

Added: apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch
===================================================================
--- apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch	                        (rev 0)
+++ apache-tomcat/5.0.30.patch07-brew/src/tomcat5-5.0.30-jbas-2775-server-header.patch	2009-07-07 22:33:37 UTC (rev 27649)
@@ -0,0 +1,49 @@
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Processor.java
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Processor.java
+298a299,302
+>     /**
+>      * Allow a customized the server header for the tin-foil hat folks.
+>      */
+>     protected String server = null;
+707a712,729
+>      * Set the server header name.
+>      */
+>     public void setServer( String server ) {
+>         if (server==null || server.equals("")) {
+>             this.server = null;
+>         } else {
+>             this.server = server;
+>         }
+>     }
+> 
+>     /**
+>      * Get the server header name.
+>      */
+>     public String getServer() {
+>         return server;
+>     }
+> 
+>     /**
+1509a1532,1535
+>         
+>        if (server != null) {
+>            headers.setValue("Server").setString(server);
+>        } else {
+1510a1537
+>        }
+--- jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Protocol.java
++++ jakarta-tomcat-connectors/http11/src/java/org/apache/coyote/http11/Http11Protocol.java
+229a230
+>     private String server;
+568a570,577
+>     public void setServer( String server ) {
+>         this.server = server;
+>     }
+> 
+>     public String getServer() {
+>         return server;
+>     }
+> 
+659a669
+>             processor.setServer( proto.server );
+




More information about the jboss-cvs-commits mailing list