Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package logback for openSUSE:Factory checked in at 2025-10-03 15:45:03 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/logback (Old) and /work/SRC/openSUSE:Factory/.logback.new.11973 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "logback" Fri Oct 3 15:45:03 2025 rev:11 rq:1308795 version:1.2.13 Changes: -------- --- /work/SRC/openSUSE:Factory/logback/logback.changes 2025-03-31 11:39:45.791665391 +0200 +++ /work/SRC/openSUSE:Factory/.logback.new.11973/logback.changes 2025-10-03 15:46:42.968739666 +0200 @@ -1,0 +2,26 @@ +Fri Oct 3 06:52:14 UTC 2025 - Fridrich Strba <[email protected]> + +- Upgrade to upstream version 1.2.13 + * Fixed NPE in ThrowableProxy if extractSupressedThrowables method + returns null. This fixes LOGBACK-1623 + * Fixed incorrect use of HttpServletResponse.getStatus in + logback-access as reported in LOGBACK-1580 + * Fixed incorrect use of HttpServletRequest.getParameterNames() + logback-access as reported in LOGBACK-1581 + * Fixed incorrect SCP URL in Maven pom.xml. This issue was + reported in LOGBACK-1633 + * Fixes for CVE-2023-6481 as well CVE-2023-6378 were back-ported + into the 1.2.x branch. Fixes will be effective only when run + under Java 9 and later. + Note that a successful exploitation of + CVE-2023-6378/CVE-2023-6381 requires that logback-receiver + component is enabled and also reachable by the attacker. +- Removed patch: + * logback-1.2.8-jetty.patch + + not needed with this version +- Added patch: + * logback-CVE-2025-11226.patch + + backport of upstream fix for bsc#1250715, CVE-2025-11226: ACE + vulnerability in conditional configuration file processing + +------------------------------------------------------------------- @@ -7 +33 @@ - to filte binary files and failing to do so. This avoids + to filter binary files and failing to do so. This avoids Old: ---- logback-1.2.11.tar.xz logback-1.2.8-jetty.patch New: ---- _scmsync.obsinfo build.specials.obscpio logback-1.2.13.tar.xz logback-CVE-2025-11226.patch ----------(Old B)---------- Old:- Removed patch: * logback-1.2.8-jetty.patch + not needed with this version ----------(Old E)---------- ----------(New B)---------- New:- Added patch: * logback-CVE-2025-11226.patch + backport of upstream fix for bsc#1250715, CVE-2025-11226: ACE ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ logback.spec ++++++ --- /var/tmp/diff_new_pack.dHST1G/_old 2025-10-03 15:46:44.364798152 +0200 +++ /var/tmp/diff_new_pack.dHST1G/_new 2025-10-03 15:46:44.364798152 +0200 @@ -1,7 +1,7 @@ # # spec file for package logback # -# Copyright (c) 2025 SUSE LLC +# Copyright (c) 2025 SUSE LLC and contributors # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -17,17 +17,16 @@ Name: logback -Version: 1.2.11 +Version: 1.2.13 Release: 0 Summary: A Java logging library License: EPL-1.0 OR LGPL-2.1-or-later URL: https://logback.qos.ch/ Source0: %{name}-%{version}.tar.xz -# Remove deprecated methods -Patch0: %{name}-1.2.8-jetty.patch -Patch1: logback-1.2.3-getCallerClass.patch -Patch2: logback-CVE-2024-12801-CVE-2024-12798.patch -Patch3: filtering.patch +Patch0: logback-1.2.3-getCallerClass.patch +Patch1: logback-CVE-2024-12801-CVE-2024-12798.patch +Patch2: filtering.patch +Patch3: logback-CVE-2025-11226.patch BuildRequires: fdupes BuildRequires: maven-local BuildRequires: mvn(javax.mail:mail) @@ -41,7 +40,6 @@ BuildRequires: mvn(org.apache.tomcat:tomcat-coyote) BuildRequires: mvn(org.codehaus.janino:janino) BuildRequires: mvn(org.eclipse.jetty:jetty-server) -BuildRequires: mvn(org.eclipse.jetty:jetty-util) BuildRequires: mvn(org.fusesource.jansi:jansi) BuildRequires: mvn(org.slf4j:slf4j-api) BuildRequires: mvn(org.slf4j:slf4j-ext) @@ -88,10 +86,7 @@ find . -type f -exec chmod -x {} \; chmod +x %{name}-examples/src/main/resources/setClasspath.sh -%patch -P 0 -p1 -%patch -P 1 -p1 -%patch -P 2 -p1 -%patch -P 3 -p1 +%autopatch -p1 %pom_remove_plugin :maven-source-plugin %pom_remove_plugin :findbugs-maven-plugin ++++++ _scmsync.obsinfo ++++++ mtime: 1759475660 commit: 2111227464331c40e1296817d0e389bd3f88031f6060f5b046401a407e3d789b url: https://src.opensuse.org/java-packages/logback.git revision: 2111227464331c40e1296817d0e389bd3f88031f6060f5b046401a407e3d789b projectscmsync: https://src.opensuse.org/java-packages/_ObsPrj ++++++ _service ++++++ --- /var/tmp/diff_new_pack.dHST1G/_old 2025-10-03 15:46:44.444801504 +0200 +++ /var/tmp/diff_new_pack.dHST1G/_new 2025-10-03 15:46:44.448801672 +0200 @@ -2,7 +2,7 @@ <service name="tar_scm" mode="disabled"> <param name="scm">git</param> <param name="url">https://github.com/qos-ch/logback.git</param> - <param name="revision">v_1.2.11</param> + <param name="revision">v_1.2.13</param> <param name="match-tag">v_*</param> <param name="versionformat">@PARENT_TAG@</param> <param name="versionrewrite-pattern">v_(.*)</param> ++++++ build.specials.obscpio ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/.gitignore new/.gitignore --- old/.gitignore 1970-01-01 01:00:00.000000000 +0100 +++ new/.gitignore 2025-10-03 09:14:40.000000000 +0200 @@ -0,0 +1 @@ +.osc ++++++ logback-1.2.11.tar.xz -> logback-1.2.13.tar.xz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-access/pom.xml new/logback-1.2.13/logback-access/pom.xml --- old/logback-1.2.11/logback-access/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-access/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -8,7 +8,7 @@ <parent> <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> </parent> <artifactId>logback-access</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/jetty/JettyModernServerAdapter.java new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/jetty/JettyModernServerAdapter.java --- old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/jetty/JettyModernServerAdapter.java 1970-01-01 01:00:00.000000000 +0100 +++ new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/jetty/JettyModernServerAdapter.java 2023-12-01 15:19:53.000000000 +0100 @@ -0,0 +1,66 @@ +/** + * Logback: the reliable, generic, fast and flexible logging framework. + * Copyright (C) 1999-2015, QOS.ch. All rights reserved. + * + * This program and the accompanying materials are dual-licensed under + * either the terms of the Eclipse Public License v1.0 as published by + * the Eclipse Foundation + * + * or (per the licensee's choosing) + * + * under the terms of the GNU Lesser General Public License version 2.1 + * as published by the Free Software Foundation. + */ +package ch.qos.logback.access.jetty; + +import java.util.HashMap; +import java.util.Iterator; +import java.util.Map; + +import ch.qos.logback.access.spi.ServerAdapter; +import org.eclipse.jetty.http.HttpField; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.Response; + +/** + * A Jetty 9.4.x and 10.0.x specific implementation of the {@link ServerAdapter} interface. + * + * @author Sébastien Pennec + * @author Ceki Gulcu + * @author Joakim Erdfelt + */ +public class JettyModernServerAdapter extends JettyServerAdapter +{ + public JettyModernServerAdapter(Request jettyRequest, Response jettyResponse) { + super(jettyRequest, jettyResponse); + } + + @Override + public long getContentLength() { + return response.getHttpChannel().getBytesWritten(); + } + + @Override + public int getStatusCode() { + return response.getCommittedMetaData().getStatus(); + } + + @Override + public long getRequestTimestamp() { + return request.getTimeStamp(); + } + + @Override + public Map<String, String> buildResponseHeaderMap() { + Map<String, String> responseHeaderMap = new HashMap<String, String>(); + Iterator<HttpField> httpFieldIter = response.getHttpFields().iterator(); + while (httpFieldIter.hasNext()) { + HttpField httpField = httpFieldIter.next(); + String key = httpField.getName(); + String value = httpField.getValue(); + responseHeaderMap.put(key, value); + } + return responseHeaderMap; + } + +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java --- old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/jetty/RequestLogImpl.java 2023-12-01 15:19:53.000000000 +0100 @@ -19,14 +19,6 @@ import java.util.Iterator; import java.util.List; -import ch.qos.logback.core.status.InfoStatus; -import ch.qos.logback.core.util.FileUtil; -import ch.qos.logback.core.util.StatusPrinter; - -import org.eclipse.jetty.server.Request; -import org.eclipse.jetty.server.RequestLog; -import org.eclipse.jetty.server.Response; - import ch.qos.logback.access.joran.JoranConfigurator; import ch.qos.logback.access.spi.AccessEvent; import ch.qos.logback.access.spi.IAccessEvent; @@ -42,22 +34,114 @@ import ch.qos.logback.core.spi.FilterAttachableImpl; import ch.qos.logback.core.spi.FilterReply; import ch.qos.logback.core.status.ErrorStatus; +import ch.qos.logback.core.status.InfoStatus; +import ch.qos.logback.core.util.FileUtil; import ch.qos.logback.core.util.OptionHelper; +import ch.qos.logback.core.util.StatusPrinter; +import org.eclipse.jetty.server.Request; +import org.eclipse.jetty.server.RequestLog; +import org.eclipse.jetty.server.Response; +import org.eclipse.jetty.util.component.LifeCycle; /** - * This class is logback's implementation of jetty's RequestLog interface. <p> + * This class is logback's implementation of jetty's RequestLog interface. + * <p> * It can be seen as logback classic's LoggerContext. Appenders can be attached * directly to RequestLogImpl and RequestLogImpl uses the same StatusManager as - * LoggerContext does. It also provides containers for properties. <p> To - * configure jetty in order to use RequestLogImpl, the following lines must be - * added to the jetty configuration file, namely <em>etc/jetty.xml</em>: + * LoggerContext does. It also provides containers for properties. + * </p> + * <h2>Supported Jetty Versions</h2> + * <p> + * This {@code RequestLogImpl} only supports Jetty 7.0.0 through Jetty 10. + * If you are using Jetty 11 with the new Jakarta Servlets (namespace {@code jakarta.servlet}) + * then you will need a more modern version of {@code logback-access}. + * </p> + * <h2>Configuring for Jetty 9.4.x through to Jetty 10.0.x</h2> + * <p> + * Jetty 9.4.x and Jetty 10.x use a modern @{code server.setRequestLog(RequestLog)} interface that + * is based on a Server level RequestLog behavior. This means all requests are logged, + * even bad requests, and context-less requests. The internals of the Jetty Request and + * Response objects track the state of the object at the time they are committed (the + * actual state during the application when an action on the network commits the + * request/response exchange). This prevents behaviors from 3rd party libraries + * that change the state of the request / response before the RequestLog gets a chance + * to log the details. This differs from Jetty 9.3.x and + * older in that those versions used a (now deprecated) {@code RequestLogHandler} and + * would never see bad requests, or context-less requests, + * and if a 3rd party library modifies the the response (for example by setting + * {@code response.setStatus(200)} after the response has been initiated on the network) + * this change in status would be logged, instead of the actual status that was sent. + * </p> + * <p> + * First, you must be using the proper {@code ${jetty.home}} and {@code ${jetty.base}} + * directory split. Configure your {@code ${jetty.base}} with at least the `resources` module + * enabled (so that your configuration can be found). + * </p> + * <p> + * Next, create a {@code ${jetty.base}/etc/logback-access-requestlog.xml} file with the following + * content. + * </p> + * <pre> + * <?xml version="1.0"?> + * <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> + * + * <Configure id="Server" class="org.eclipse.jetty.server.Server"> + * <Set name="requestLog"> + * <New id="LogbackAccess" class="ch.qos.logback.access.jetty.RequestLogImpl"> + * <Set name="resource">logback-access.xml</Set> + * </New> + * </Set> + * </Configure> + * </pre> * <p/> + * <p> + * Now you'll need a {@code ${jetty.base}/resources/logback-access.xml} configuration file. + * </p> + * By default, {@code RequestLogImpl} looks for a logback configuration file called + * {@code etc/logback-access.xml}, in the {@code ${jetty.base}} directory, then + * the older {@code ${jetty.home}} directory. + * The {@code logback-access.xml} file is slightly + * different than the usual logback classic configuration file. Most of it is + * the same: Appenders and Layouts are declared the exact same way. However, + * loggers elements are not allowed. <p> It is possible to put the logback + * configuration file anywhere, as long as it's path is specified. Here is + * another example, with a path to the logback-access.xml file. + * <p/> + * <pre> + * <?xml version="1.0"?> + * <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure_9_3.dtd"> + * + * <Configure id="Server" class="org.eclipse.jetty.server.Server"> + * <Set name="requestLog"> + * <New id="LogbackAccess" class="ch.qos.logback.access.jetty.RequestLogImpl"> + * <Set name="fileName">/path/to/logback-access.xml</Set> + * </New> + * </Set> + * </Configure> + * </pre> + * <h2>Configuring for Jetty 7.x thru to Jetty 9.3.x</h2> + * <p> + * To configure these older Jetty instances to use {@code RequestLogImpl}, + * the use of the {@code RequestLogHandler} is the technique available to you. + * Modify your {@code etc/jetty-requestlog.xml} + * </p> * <pre> - * <Ref id="requestLog"> - * <Set name="requestLog"> - * <New id="requestLogImpl" class="ch.qos.logback.access.jetty.RequestLogImpl"></New> - * </Set> - * </Ref> + * <?xml version="1.0"?> + * <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> + * + * <Configure id="Server" class="org.eclipse.jetty.server.Server"> + * <Ref id="Handlers"> + * <Call name="addHandler"> + * <Arg> + * <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"> + * <Set name="requestLog"> + * <New id="RequestLogImpl" class="ch.qos.logback.access.jetty.RequestLogImpl"/> + * </Set> + * </New> + * </Arg> + * </Call> + * </Ref> + * </Configure> * </pre> * <p/> * By default, RequestLogImpl looks for a logback configuration file called @@ -70,12 +154,24 @@ * another example, with a path to the logback-access.xml file. * <p/> * <pre> - * <Ref id="requestLog"> - * <Set name="requestLog"> - * <New id="requestLogImpl" class="ch.qos.logback.access.jetty.RequestLogImpl"></New> - * <Set name="fileName">path/to/logback.xml</Set> - * </Set> - * </Ref> + * <?xml version="1.0"?> + * <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "http://www.eclipse.org/jetty/configure.dtd"> + * + * <Configure id="Server" class="org.eclipse.jetty.server.Server"> + * <Ref id="Handlers"> + * <Call name="addHandler"> + * <Arg> + * <New id="RequestLog" class="org.eclipse.jetty.server.handler.RequestLogHandler"> + * <Set name="requestLog"> + * <New id="RequestLogImpl" class="ch.qos.logback.access.jetty.RequestLogImpl"> + * <Set name="fileName">path/to/logback-access.xml</Set> + * </New> + * </Set> + * </New> + * </Arg> + * </Call> + * </Ref> + * </Configure> * </pre> * <p/> * <p> Here is a sample logback-access.xml file that can be used right away: @@ -112,24 +208,49 @@ * @author Ceki Gülcü * @author Sébastien Pennec */ -public class RequestLogImpl extends ContextBase implements RequestLog, AppenderAttachable<IAccessEvent>, FilterAttachable<IAccessEvent> { - +public class RequestLogImpl extends ContextBase implements RequestLog, LifeCycle, AppenderAttachable<IAccessEvent>, FilterAttachable<IAccessEvent> { public final static String DEFAULT_CONFIG_FILE = "etc" + File.separatorChar + "logback-access.xml"; + enum State { + FAILED, STOPPED, STARTING, STARTED, STOPPING + } + State state = State.STOPPED; + AppenderAttachableImpl<IAccessEvent> aai = new AppenderAttachableImpl<IAccessEvent>(); FilterAttachableImpl<IAccessEvent> fai = new FilterAttachableImpl<IAccessEvent>(); String fileName; String resource; - boolean started = false; + + // Jetty 9.4.x and newer is considered modern. + boolean modernJettyRequestLog; boolean quiet = false; public RequestLogImpl() { putObject(CoreConstants.EVALUATOR_MAP, new HashMap<String, EventEvaluator<?>>()); + + // plumb the depths of Jetty and the environment ... + if (classIsPresent("jakarta.servlet.http.HttpServlet")) { + throw new RuntimeException("The new jakarta.servlet classes are not supported by this " + + "version of logback-access (check for a newer version of logback-access that " + + "does support it)"); + } + + // look for modern approach to RequestLog + modernJettyRequestLog = classIsPresent("org.eclipse.jetty.server.CustomRequestLog"); + } + + private boolean classIsPresent(String className) { + try { + Class.forName(className); + return true; + } catch (ClassNotFoundException e) { + return false; + } } @Override public void log(Request jettyRequest, Response jettyResponse) { - JettyServerAdapter adapter = new JettyServerAdapter(jettyRequest, jettyResponse); + JettyServerAdapter adapter = newJettyServerAdapter(jettyRequest, jettyResponse); IAccessEvent accessEvent = new AccessEvent(jettyRequest, jettyResponse, adapter); if (getFilterChainDecision(accessEvent) == FilterReply.DENY) { return; @@ -137,7 +258,15 @@ aai.appendLoopOnAppenders(accessEvent); } - private void addInfo(String msg) { + private JettyServerAdapter newJettyServerAdapter(Request jettyRequest, Response jettyResponse) { + if (modernJettyRequestLog) { + return new JettyModernServerAdapter(jettyRequest, jettyResponse); + } else { + return new JettyServerAdapter(jettyRequest, jettyResponse); + } + } + + protected void addInfo(String msg) { getStatusManager().add(new InfoStatus(msg, this)); } @@ -147,11 +276,17 @@ @Override public void start() { - configure(); - if (!isQuiet()) { - StatusPrinter.print(getStatusManager()); + state = State.STARTING; + try { + configure(); + if (!isQuiet()) { + StatusPrinter.print(getStatusManager()); + } + state = State.STARTED; + } catch(Throwable t) { + t.printStackTrace(); + state = State.FAILED; } - started = true; } protected void configure() { @@ -176,14 +311,25 @@ return this.getClass().getResource(resource); } - String jettyHomeProperty = OptionHelper.getSystemProperty("jetty.home"); String defaultConfigFile = DEFAULT_CONFIG_FILE; - if (!OptionHelper.isEmpty(jettyHomeProperty)) { - defaultConfigFile = jettyHomeProperty + File.separatorChar + DEFAULT_CONFIG_FILE; - } else { - addInfo("[jetty.home] system property not set."); + // Always attempt ${jetty.base} first + String jettyBaseProperty = OptionHelper.getSystemProperty("jetty.base"); + if (!OptionHelper.isEmpty(jettyBaseProperty)) { + defaultConfigFile = jettyBaseProperty + File.separatorChar + DEFAULT_CONFIG_FILE; } + File file = new File(defaultConfigFile); + if(!file.exists()) { + // Then use ${jetty.home} (not supported in Jetty 10+) + String jettyHomeProperty = OptionHelper.getSystemProperty("jetty.home"); + if (!OptionHelper.isEmpty(jettyHomeProperty)) { + defaultConfigFile = jettyHomeProperty + File.separatorChar + DEFAULT_CONFIG_FILE; + } else { + addInfo("Neither [jetty.base] nor [jetty.home] system properties are set."); + } + } + + file = new File(defaultConfigFile); addInfo("Assuming default configuration file [" + defaultConfigFile + "]"); if (!file.exists()) return null; @@ -205,13 +351,14 @@ @Override public void stop() { + state = State.STOPPING; aai.detachAndStopAllAppenders(); - started = false; + state = State.STOPPED; } @Override public boolean isRunning() { - return started; + return state == State.STARTED; } public void setFileName(String fileName) { @@ -224,27 +371,26 @@ @Override public boolean isStarted() { - return started; + return state == State.STARTED; } @Override public boolean isStarting() { - return false; + return state == State.STARTING; } @Override public boolean isStopping() { - return false; + return state == State.STOPPING; } - @Override public boolean isStopped() { - return !started; + return state == State.STOPPED; } @Override public boolean isFailed() { - return false; + return state == State.FAILED; } public boolean isQuiet() { @@ -311,13 +457,12 @@ } @Override - public void addLifeCycleListener(Listener listener) { + public void addLifeCycleListener(LifeCycle.Listener listener) { // we'll implement this when asked } @Override - public void removeLifeCycleListener(Listener listener) { + public void removeLifeCycleListener(LifeCycle.Listener listener) { // we'll implement this when asked } - } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/spi/AccessEvent.java new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/spi/AccessEvent.java --- old/logback-1.2.11/logback-access/src/main/java/ch/qos/logback/access/spi/AccessEvent.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-access/src/main/java/ch/qos/logback/access/spi/AccessEvent.java 2023-12-01 15:19:53.000000000 +0100 @@ -335,13 +335,22 @@ public void buildRequestParameterMap() { requestParameterMap = new HashMap<String, String[]>(); - Enumeration<String> e = httpRequest.getParameterNames(); - if (e == null) { - return; - } - while (e.hasMoreElements()) { - String key = e.nextElement(); - requestParameterMap.put(key, httpRequest.getParameterValues(key)); + try { + Enumeration<String> e = httpRequest.getParameterNames(); + if (e == null) { + return; + } + while (e.hasMoreElements()) { + String key = e.nextElement(); + requestParameterMap.put(key, httpRequest.getParameterValues(key)); + } + } catch(Throwable t) { + // The use of HttpServletRequest.getParameterNames() can cause + // a READ of the Request body content. This can fail with various + // Throwable failures depending on the state of the Request + // at the time this method is called. + // We don't want to fail the logging due to these types of requests + t.printStackTrace(); } } @@ -479,12 +488,12 @@ if (Util.isFormUrlEncoded(httpRequest)) { StringBuilder buf = new StringBuilder(); - Enumeration<String> pramEnumeration = httpRequest.getParameterNames(); - - // example: id=1234&user=cgu - // number=1233&x=1 - int count = 0; try { + Enumeration<String> pramEnumeration = httpRequest.getParameterNames(); + + // example: id=1234&user=cgu + // number=1233&x=1 + int count = 0; while (pramEnumeration.hasMoreElements()) { String key = pramEnumeration.nextElement(); @@ -500,9 +509,14 @@ buf.append(""); } } - } catch (Exception e) { - // FIXME Why is try/catch required? - e.printStackTrace(); + } catch (Throwable t) { + // The use of HttpServletRequest.getParameterNames() and + // HttpServletRequest.getParameter(String) can cause + // a READ of the Request body content. This can fail with various + // Throwable failures depending on the state of the Request + // at the time this method is called. + // We don't want to fail the logging due to these types of requests + t.printStackTrace(); } requestContent = buf.toString(); } else { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-access/src/test/java/ch/qos/logback/access/jetty/JettyFixtureBase.java new/logback-1.2.13/logback-access/src/test/java/ch/qos/logback/access/jetty/JettyFixtureBase.java --- old/logback-1.2.11/logback-access/src/test/java/ch/qos/logback/access/jetty/JettyFixtureBase.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-access/src/test/java/ch/qos/logback/access/jetty/JettyFixtureBase.java 2023-12-01 15:19:53.000000000 +0100 @@ -13,21 +13,16 @@ */ package ch.qos.logback.access.jetty; -import org.eclipse.jetty.server.Connector; import org.eclipse.jetty.server.Request; import org.eclipse.jetty.server.Server; import org.eclipse.jetty.server.Handler; import org.eclipse.jetty.server.handler.AbstractHandler; -import org.eclipse.jetty.server.handler.HandlerList; -import org.eclipse.jetty.server.handler.RequestLogHandler; -import org.eclipse.jetty.server.nio.SelectChannelConnector; -import org.eclipse.jetty.util.ByteArrayISO8859Writer; import javax.servlet.ServletException; import javax.servlet.http.HttpServletRequest; import javax.servlet.http.HttpServletResponse; import java.io.IOException; -import java.io.OutputStream; +import java.io.Writer; public class JettyFixtureBase { final protected RequestLogImpl requestLogImpl; @@ -51,20 +46,12 @@ } public void start() throws Exception { - server = new Server(); - Connector connector = new SelectChannelConnector(); - connector.setPort(port); - server.setConnectors(new Connector[] { connector }); + server = new Server(port); - RequestLogHandler requestLogHandler = new RequestLogHandler(); + server.setRequestLog(requestLogImpl); configureRequestLogImpl(); - requestLogHandler.setRequestLog(requestLogImpl); - HandlerList handlers = new HandlerList(); - handlers.addHandler(requestLogHandler); - handlers.addHandler(getRequestHandler()); - - server.setHandler(handlers); + server.setHandler(getRequestHandler()); server.start(); } @@ -83,16 +70,12 @@ class BasicHandler extends AbstractHandler { public void handle(String target, Request baseRequest, HttpServletRequest request, HttpServletResponse response) throws IOException, ServletException { - OutputStream out = response.getOutputStream(); - ByteArrayISO8859Writer writer = new ByteArrayISO8859Writer(); + response.setCharacterEncoding("UTF-8"); + response.setContentType("text/plain"); + Writer writer = response.getWriter(); writer.write("hello world"); writer.flush(); - response.setContentLength(writer.size()); - writer.writeTo(out); - out.flush(); - baseRequest.setHandled(true); - } } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-classic/pom.xml new/logback-1.2.13/logback-classic/pom.xml --- old/logback-1.2.11/logback-classic/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-classic/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -8,7 +8,7 @@ <parent> <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> </parent> <artifactId>logback-classic</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java new/logback-1.2.13/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java --- old/logback-1.2.11/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-classic/src/main/java/ch/qos/logback/classic/spi/LoggingEventVO.java 2023-12-01 15:19:53.000000000 +0100 @@ -14,6 +14,7 @@ package ch.qos.logback.classic.spi; import java.io.IOException; +import java.io.InvalidObjectException; import java.io.ObjectInputStream; import java.io.ObjectOutputStream; import java.io.Serializable; @@ -38,6 +39,7 @@ private static final int NULL_ARGUMENT_ARRAY = -1; private static final String NULL_ARGUMENT_ARRAY_ELEMENT = "NULL_ARGUMENT_ARRAY_ELEMENT"; + private static final int ARGUMENT_ARRAY_DESERIALIZATION_LIMIT = 128; private String threadName; private String loggerName; @@ -181,6 +183,11 @@ level = Level.toLevel(levelInt); int argArrayLen = in.readInt(); + // Prevent DOS attacks via large or negative arrays + if (argArrayLen < NULL_ARGUMENT_ARRAY || argArrayLen > ARGUMENT_ARRAY_DESERIALIZATION_LIMIT) { + throw new InvalidObjectException("Argument array length is invalid: " + argArrayLen); + } + if (argArrayLen != NULL_ARGUMENT_ARRAY) { argumentArray = new String[argArrayLen]; for (int i = 0; i < argArrayLen; i++) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-classic/src/main/java/ch/qos/logback/classic/spi/ThrowableProxy.java new/logback-1.2.13/logback-classic/src/main/java/ch/qos/logback/classic/spi/ThrowableProxy.java --- old/logback-1.2.11/logback-classic/src/main/java/ch/qos/logback/classic/spi/ThrowableProxy.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-classic/src/main/java/ch/qos/logback/classic/spi/ThrowableProxy.java 2023-12-01 15:19:53.000000000 +0100 @@ -14,6 +14,7 @@ package ch.qos.logback.classic.spi; import ch.qos.logback.core.CoreConstants; +import ch.qos.logback.core.util.OptionHelper; import java.lang.reflect.InvocationTargetException; import java.lang.reflect.Method; @@ -93,10 +94,10 @@ } if (GET_SUPPRESSED_METHOD != null) { - // this will only execute on Java 7 + // this will only execute on Java 7 and later Throwable[] throwableSuppressed = extractSupressedThrowables(throwable); - if (throwableSuppressed.length > 0) { + if (OptionHelper.isNotEmtpy(throwableSuppressed)) { List<ThrowableProxy> suppressedList = new ArrayList<ThrowableProxy>(throwableSuppressed.length); for (Throwable sup : throwableSuppressed) { if (alreadyProcessedSet.contains(sup)) { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-classic/src/test/input/issue/logback-1754.xml new/logback-1.2.13/logback-classic/src/test/input/issue/logback-1754.xml --- old/logback-1.2.11/logback-classic/src/test/input/issue/logback-1754.xml 1970-01-01 01:00:00.000000000 +0100 +++ new/logback-1.2.13/logback-classic/src/test/input/issue/logback-1754.xml 2023-12-01 15:19:53.000000000 +0100 @@ -0,0 +1,30 @@ +<?xml version="1.0" encoding="UTF-8"?> +<!-- + ~ Logback: the reliable, generic, fast and flexible logging framework. + ~ Copyright (C) 1999-2023, QOS.ch. All rights reserved. + ~ + ~ This program and the accompanying materials are dual-licensed under + ~ either the terms of the Eclipse Public License v1.0 as published by + ~ the Eclipse Foundation + ~ + ~ or (per the licensee's choosing) + ~ + ~ under the terms of the GNU Lesser General Public License version 2.1 + ~ as published by the Free Software Foundation. + --> + +<configuration debug="true"> + <appender name="GENERAL" class="ch.qos.logback.core.rolling.RollingFileAppender"> + <rollingPolicy class="ch.qos.logback.core.rolling.TimeBasedRollingPolicy"> + <fileNamePattern>${logback_1754_targetDirectory}/test-%d{yyyy-MM-dd}.log</fileNamePattern> + <maxHistory>120</maxHistory> + </rollingPolicy> + <encoder> + <pattern>%date{HH:mm:ss.SSS} [%level] %logger{0} [%thread] [%class{3}:%line] : %msg%n</pattern> + </encoder> + <prudent>true</prudent> + </appender> + <root level="debug"> + <appender-ref ref="GENERAL" /> + </root> +</configuration> \ No newline at end of file diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java new/logback-1.2.13/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java --- old/logback-1.2.11/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java 1970-01-01 01:00:00.000000000 +0100 +++ new/logback-1.2.13/logback-classic/src/test/java/ch/qos/logback/classic/issue/logback_1754/LogbackTest.java 2023-12-01 15:19:53.000000000 +0100 @@ -0,0 +1,78 @@ +/* + * Logback: the reliable, generic, fast and flexible logging framework. + * Copyright (C) 1999-2023, QOS.ch. All rights reserved. + * + * This program and the accompanying materials are dual-licensed under + * either the terms of the Eclipse Public License v1.0 as published by + * the Eclipse Foundation + * + * or (per the licensee's choosing) + * + * under the terms of the GNU Lesser General Public License version 2.1 + * as published by the Free Software Foundation. + */ + +package ch.qos.logback.classic.issue.logback_1754; + +import ch.qos.logback.classic.ClassicConstants; +import ch.qos.logback.classic.ClassicTestConstants; +import ch.qos.logback.core.testUtil.RandomUtil; +import org.slf4j.Logger; +import org.slf4j.LoggerFactory; + +import java.util.ArrayList; +import java.util.List; +import java.util.concurrent.CountDownLatch; + +import static ch.qos.logback.classic.util.ContextInitializer.CONFIG_FILE_PROPERTY; + +public class LogbackTest { + + private static final int THREADS = 16; + + private void runTest() { + + int diff = RandomUtil.getPositiveInt(); + //System.setProperty("logback.statusListenerClass", "sysout"); + System.setProperty(CONFIG_FILE_PROPERTY, ClassicTestConstants.INPUT_PREFIX+"issue/logback-1754.xml"); + System.setProperty("logback_1754_targetDirectory", ClassicTestConstants.OUTPUT_DIR_PREFIX+"safeWrite_"+diff); + + CountDownLatch latch = new CountDownLatch(THREADS); + List<Thread> threads = new ArrayList<Thread>(THREADS); + for (int i = 0; i < THREADS; i++) { + LoggerThread thread = new LoggerThread(latch, "message from thread " + i); + thread.start(); + threads.add(thread); + } + for (Thread thread : threads) { + try { + thread.join(); + } catch (InterruptedException e) { + Thread.currentThread().interrupt(); + throw new RuntimeException(e); + } + } + } + + public static void main(String... args) { + new LogbackTest().runTest(); + } + + private static final class LoggerThread extends Thread { + private static final Logger LOG = LoggerFactory.getLogger(LoggerThread.class); + private final CountDownLatch latch; + private final String message; + + LoggerThread(CountDownLatch latch, String message) { + setDaemon(false); + this.latch = latch; + this.message = message; + } + + @Override + public void run() { + latch.countDown(); + LOG.info(message); + } + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/pom.xml new/logback-1.2.13/logback-core/pom.xml --- old/logback-1.2.11/logback-core/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -8,7 +8,7 @@ <parent> <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> </parent> <artifactId>logback-core</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java --- old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/net/HardenedObjectInputStream.java 2023-12-01 15:19:53.000000000 +0100 @@ -1,10 +1,27 @@ +/** + * Logback: the reliable, generic, fast and flexible logging framework. + * Copyright (C) 1999-2023, QOS.ch. All rights reserved. + * + * This program and the accompanying materials are dual-licensed under + * either the terms of the Eclipse Public License v1.0 as published by + * the Eclipse Foundation + * + * or (per the licensee's choosing) + * + * under the terms of the GNU Lesser General Public License version 2.1 + * as published by the Free Software Foundation. + */ package ch.qos.logback.core.net; +import ch.qos.logback.core.util.EnvUtil; + import java.io.IOException; import java.io.InputStream; import java.io.InvalidClassException; import java.io.ObjectInputStream; import java.io.ObjectStreamClass; +import java.lang.reflect.InvocationTargetException; +import java.lang.reflect.Method; import java.util.ArrayList; import java.util.List; @@ -22,10 +39,12 @@ final List<String> whitelistedClassNames; final static String[] JAVA_PACKAGES = new String[] { "java.lang", "java.util" }; + final private static int DEPTH_LIMIT = 16; + final private static int ARRAY_LIMIT = 10000; public HardenedObjectInputStream(InputStream in, String[] whilelist) throws IOException { super(in); - + initObjectFilter(); this.whitelistedClassNames = new ArrayList<String>(); if (whilelist != null) { for (int i = 0; i < whilelist.length; i++) { @@ -36,11 +55,43 @@ public HardenedObjectInputStream(InputStream in, List<String> whitelist) throws IOException { super(in); - + initObjectFilter(); this.whitelistedClassNames = new ArrayList<String>(); this.whitelistedClassNames.addAll(whitelist); } + private void initObjectFilter() { + + // invoke the following code by reflection + // this.setObjectInputFilter(ObjectInputFilter.Config.createFilter( + // "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";" + // )); + if(EnvUtil.isJDK9OrHigher()) { + try { + ClassLoader classLoader = this.getClass().getClassLoader(); + + Class oifClass = classLoader.loadClass("java.io.ObjectInputFilter"); + Class oifConfigClass = classLoader.loadClass("java.io.ObjectInputFilter$Config"); + Method setObjectInputFilterMethod = this.getClass().getMethod("setObjectInputFilter", oifClass); + + Method createFilterMethod = oifConfigClass.getMethod("createFilter", String.class); + Object filter = createFilterMethod.invoke(null, "maxarray=" + ARRAY_LIMIT + ";maxdepth=" + DEPTH_LIMIT + ";"); + setObjectInputFilterMethod.invoke(this, filter); + } catch (ClassNotFoundException e) { + // this code should be unreachable + throw new RuntimeException("Failed to initialize object filter", e); + } catch (InvocationTargetException e) { + // this code should be unreachable + throw new RuntimeException("Failed to initialize object filter", e); + } catch (NoSuchMethodException e) { + // this code should be unreachable + throw new RuntimeException("Failed to initialize object filter", e); + } catch (IllegalAccessException e) { + // this code should be unreachable + throw new RuntimeException("Failed to initialize object filter", e); + } + } + } @Override protected Class<?> resolveClass(ObjectStreamClass anObjectStreamClass) throws IOException, ClassNotFoundException { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java --- old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/util/EnvUtil.java 2023-12-01 15:19:53.000000000 +0100 @@ -1,6 +1,6 @@ /** * Logback: the reliable, generic, fast and flexible logging framework. - * Copyright (C) 1999-2015, QOS.ch. All rights reserved. + * Copyright (C) 1999-2023, QOS.ch. All rights reserved. * * This program and the accompanying materials are dual-licensed under * either the terms of the Eclipse Public License v1.0 as published by @@ -22,22 +22,27 @@ public class EnvUtil { static private boolean isJDK_N_OrHigher(int n) { - List<String> versionList = new ArrayList<String>(); - // this code should work at least until JDK 10 (assuming n parameter is - // always 6 or more) - for (int i = 0; i < 5; i++) { - versionList.add("1." + (n + i)); - } - - String javaVersion = System.getProperty("java.version"); - if (javaVersion == null) { + String javaVersionStr = System.getProperty("java.version", ""); + if (javaVersionStr.isEmpty()) return false; + + int version = getJDKVersion(javaVersionStr); + return version > 0 && n <= version; + } + + static public int getJDKVersion(String javaVersionStr) { + int version = 0; + + for (char ch : javaVersionStr.toCharArray()) { + if (Character.isDigit(ch)) { + version = (version * 10) + (ch - 48); + } else if (version == 1) { + version = 0; + } else { + break; + } } - for (String v : versionList) { - if (javaVersion.startsWith(v)) - return true; - } - return false; + return version; } static public boolean isJDK5() { @@ -52,6 +57,10 @@ return isJDK_N_OrHigher(7); } + static public boolean isJDK9OrHigher() { + return isJDK_N_OrHigher(9); + } + static public boolean isJaninoAvailable() { ClassLoader classLoader = EnvUtil.class.getClassLoader(); try { diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java --- old/logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/main/java/ch/qos/logback/core/util/OptionHelper.java 2023-12-01 15:19:53.000000000 +0100 @@ -259,5 +259,15 @@ public static boolean isEmpty(String str) { return ((str == null) || str.length() == 0); } + + final public static boolean isNullOrEmpty(Object[] array) { + if(array == null || array.length == 0) + return true; + else + return false; + } + final public static boolean isNotEmtpy(Object[] array) { + return !isNullOrEmpty(array); + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java --- old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/net/HardenedObjectInputStreamTest.java 2023-12-01 15:19:53.000000000 +0100 @@ -1,12 +1,17 @@ package ch.qos.logback.core.net; import static org.junit.Assert.assertEquals; +import static org.junit.Assert.fail; import java.io.ByteArrayInputStream; import java.io.ByteArrayOutputStream; import java.io.IOException; +import java.io.InvalidClassException; import java.io.ObjectOutputStream; +import java.util.HashSet; +import java.util.Set; +import ch.qos.logback.core.util.EnvUtil; import org.junit.After; import org.junit.Before; import org.junit.Test; @@ -54,5 +59,47 @@ oos.flush(); oos.close(); } - + + @Test + public void denialOfService() throws ClassNotFoundException, IOException { + + if(!EnvUtil.isJDK9OrHigher()) { + return; + } + + ByteArrayInputStream bis = new ByteArrayInputStream(payload()); + inputStream = new HardenedObjectInputStream(bis, whitelist); + try { + inputStream.readObject(); + fail("InvalidClassException expected"); + } catch(InvalidClassException e) { + } + finally { + inputStream.close(); + } + } + + private byte[] payload() throws IOException { + Set root = buildEvilHashset(); + writeObject(oos, root); + return bos.toByteArray(); + } + + private Set buildEvilHashset() { + Set root = new HashSet(); + Set s1 = root; + Set s2 = new HashSet(); + for (int i = 0; i < 100; i++) { + Set t1 = new HashSet(); + Set t2 = new HashSet(); + t1.add("foo"); // make it not equal to t2 + s1.add(t1); + s1.add(t2); + s2.add(t1); + s2.add(t2); + s1 = t1; + s2 = t2; + } + return root; + } } diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java --- old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/rolling/ScaffoldingForRollingTests.java 2023-12-01 15:19:53.000000000 +0100 @@ -24,10 +24,10 @@ import java.io.File; import java.io.IOException; -import java.sql.Date; import java.text.SimpleDateFormat; import java.util.ArrayList; import java.util.Calendar; +import java.util.Date; import java.util.Enumeration; import java.util.List; import java.util.concurrent.Future; diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java --- old/logback-1.2.11/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java 1970-01-01 01:00:00.000000000 +0100 +++ new/logback-1.2.13/logback-core/src/test/java/ch/qos/logback/core/util/EnvUtilTest.java 2023-12-01 15:19:53.000000000 +0100 @@ -0,0 +1,34 @@ +/** + * Logback: the reliable, generic, fast and flexible logging framework. + * Copyright (C) 1999-2023, QOS.ch. All rights reserved. + * + * This program and the accompanying materials are dual-licensed under + * either the terms of the Eclipse Public License v1.0 as published by + * the Eclipse Foundation + * + * or (per the licensee's choosing) + * + * under the terms of the GNU Lesser General Public License version 2.1 + * as published by the Free Software Foundation. + */ +package ch.qos.logback.core.util; + +import org.junit.Test; + +import static org.junit.Assert.assertEquals; + +public class EnvUtilTest { + + + @Test + public void jdkVersion() { + assertEquals(4, EnvUtil.getJDKVersion("1.4.xx")); + assertEquals(5, EnvUtil.getJDKVersion("1.5")); + assertEquals(5, EnvUtil.getJDKVersion("1.5.xx")); + assertEquals(5, EnvUtil.getJDKVersion("1.5AA")); + assertEquals(9, EnvUtil.getJDKVersion("9EA")); + assertEquals(9, EnvUtil.getJDKVersion("9.0.1")); + assertEquals(18, EnvUtil.getJDKVersion("18.3+xx")); + assertEquals(21, EnvUtil.getJDKVersion("21.0.1")); + } +} diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-examples/pom.xml new/logback-1.2.13/logback-examples/pom.xml --- old/logback-1.2.11/logback-examples/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-examples/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -8,7 +8,7 @@ <parent> <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> </parent> <artifactId>logback-examples</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/logback-site/pom.xml new/logback-1.2.13/logback-site/pom.xml --- old/logback-1.2.11/logback-site/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/logback-site/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -7,7 +7,7 @@ <parent> <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> </parent> <artifactId>logback-site</artifactId> diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/logback-1.2.11/pom.xml new/logback-1.2.13/pom.xml --- old/logback-1.2.11/pom.xml 2022-03-05 21:41:13.000000000 +0100 +++ new/logback-1.2.13/pom.xml 2023-12-01 15:19:53.000000000 +0100 @@ -7,7 +7,7 @@ <groupId>ch.qos.logback</groupId> <artifactId>logback-parent</artifactId> - <version>1.2.11</version> + <version>1.2.13</version> <packaging>pom</packaging> <name>Logback-Parent</name> @@ -34,7 +34,7 @@ </licenses> <scm> - <url>https://github.com/ceki/logback</url> + <url>https://github.com/qos-ch/logback</url> <connection>scm:[email protected]:qos-ch/logback.git</connection> </scm> @@ -47,7 +47,7 @@ </modules> <properties> - <project.build.outputTimestamp>2022-03-05T19:45:00Z</project.build.outputTimestamp> + <project.build.outputTimestamp>2023-12-01T14:16:33Z</project.build.outputTimestamp> <maven.compiler.source>1.6</maven.compiler.source> <maven.compiler.target>1.6</maven.compiler.target> <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding> @@ -62,15 +62,13 @@ <consolePlugin.version>1.1.0</consolePlugin.version> <!--<tomcat.version>7.0.59</tomcat.version>--> <tomcat.version>8.5.9</tomcat.version> - <!--<jetty.version>7.5.1.v20110908</jetty.version>--> - <jetty.version>8.2.0.v20160908</jetty.version> - <!--<jetty.version>9.2.9.v20150224</jetty.version>--> + <jetty.version>9.4.44.v20210927</jetty.version> <jansi.version>1.9</jansi.version> <maven-compiler-plugin.version>3.8.1</maven-compiler-plugin.version> <maven-surefire-plugin.version>2.19.1</maven-surefire-plugin.version> <maven-site-plugin.version>3.7.1</maven-site-plugin.version> <maven-javadoc-plugin.version>3.1.0</maven-javadoc-plugin.version> - <maven-source-plugin.version>3.2.0</maven-source-plugin.version> + <maven-source-plugin.version>3.2.1</maven-source-plugin.version> <maven-license-plugin.version>3.0</maven-license-plugin.version> <maven-jar-plugin.version>3.2.2</maven-jar-plugin.version> <maven-jxr-plugin.version>3.1.1</maven-jxr-plugin.version> ++++++ logback-CVE-2025-11226.patch ++++++ --- logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/joran/conditional/IfAction.java 2025-10-03 08:07:31.612322275 +0200 +++ logback-1.2.11/logback-core/src/main/java/ch/qos/logback/core/joran/conditional/IfAction.java 2025-10-03 08:35:54.710217338 +0200 @@ -33,6 +33,9 @@ public static final String MISSING_JANINO_MSG = "Could not find Janino library on the class path. Skipping conditional processing."; public static final String MISSING_JANINO_SEE = "See also " + CoreConstants.CODES_URL + "#ifJanino"; + public static final String NEW_OPERATOR_DISALLOWED_MSG = "The 'condition' attribute may not contain the 'new' operator."; + public static final String NEW_OPERATOR_DISALLOWED_SEE = "See also " + CoreConstants.CODES_URL + "#conditionNew"; + Stack<IfState> stack = new Stack<IfState>(); @Override @@ -59,6 +62,14 @@ if (!OptionHelper.isEmpty(conditionAttribute)) { conditionAttribute = OptionHelper.substVars(conditionAttribute, ic, context); + + // do not allow 'new' operator + if(conditionAttribute.contains("new ")) { + addError(NEW_OPERATOR_DISALLOWED_MSG); + addError(NEW_OPERATOR_DISALLOWED_SEE); + return; + } + PropertyEvalScriptBuilder pesb = new PropertyEvalScriptBuilder(ic); pesb.setContext(context); try {
