svn commit: r619799 - in /tomcat: container/branches/tc4.1.x/ container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/ current/tc4.1.x/

Fri, 08 Feb 2008 00:15:16 -0800 

Author: markt
Date: Fri Feb  8 00:14:43 2008
New Revision: 619799

URL: http://svn.apache.org/viewvc?rev=619799&view=rev
Log:
Fix CVE-2007-5461, an info disclosure vulnerability.

Modified:
    tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
    
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
    
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/current/tc4.1.x/STATUS.txt

Modified: tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt?rev=619799&r1=619798&r2=619799&view=diff
==============================================================================
--- tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt (original)
+++ tomcat/container/branches/tc4.1.x/RELEASE-NOTES-4.1.txt Fri Feb  8 00:14:43 
2008
@@ -1681,6 +1681,9 @@
 [4.1.37] WebDAV
          Fix issues with MS clients.
 
+[4.1.37] WebDAV
+         Fix CVE-2007-5461, an important information disclosure vulnerability
+
 
 ----------------
 Coyote Bug Fixes:

Modified: 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties?rev=619799&r1=619798&r2=619799&view=diff
==============================================================================
--- 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
 (original)
+++ 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
 Fri Feb  8 00:14:43 2008
@@ -86,6 +86,7 @@
 managerServlet.userDatabaseError=FAIL - Cannot resolve user database reference
 managerServlet.userDatabaseMissing=FAIL - No user database is available
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an 
external entity with PublicID {0} and SystemID {1} which was ignored
 directory.filename=Filename
 directory.lastModified=Last Modified
 directory.parent=Up To {0}

Modified: 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java?rev=619799&r1=619798&r2=619799&view=diff
==============================================================================
--- 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 (original)
+++ 
tomcat/container/branches/tc4.1.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
 Fri Feb  8 00:14:43 2008
@@ -20,6 +20,7 @@
 
 
 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.text.SimpleDateFormat;
@@ -34,6 +35,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.http.HttpServletRequest;
 import javax.servlet.http.HttpServletResponse;
@@ -50,6 +52,7 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -218,7 +221,10 @@
         try {
             documentBuilderFactory = DocumentBuilderFactory.newInstance();
             documentBuilderFactory.setNamespaceAware(true);
+            documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
         } catch(ParserConfigurationException e) {
             throw new ServletException
                 (sm.getString("webdavservlet.jaxpfailed"));
@@ -2736,6 +2742,26 @@
     }
 
 
+    // --------------------------------------------- WebdavResolver Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * [EMAIL PROTECTED] 
DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+        
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+     
+        public InputSource resolveEntity (String publicId, String systemId) {
+            context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
 };
 
 

Modified: tomcat/current/tc4.1.x/STATUS.txt
URL: 
http://svn.apache.org/viewvc/tomcat/current/tc4.1.x/STATUS.txt?rev=619799&r1=619798&r2=619799&view=diff
==============================================================================
--- tomcat/current/tc4.1.x/STATUS.txt (original)
+++ tomcat/current/tc4.1.x/STATUS.txt Fri Feb  8 00:14:43 2008
@@ -25,17 +25,6 @@
 PATCHES PROPOSED TO BACKPORT:
   [ New proposals should be added at the end of the list ]
 
-* Fix important vulnerability when webdav is enabled for write
-  Patch: http://marc.info/?l=tomcat-dev&m=119245116910632&w=2
-  +1: markt, yoavs, jim, fhanik
-  -1:
-
-* Improve fix for webdav vulnerability to workaround what looks like a parser
-  bug
-  http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
-  +1: markt, yoavs, jim, fhanik
-  -1:
-
 * Add feature to use system properties in server.xml.
   TC 5.0/5.5/6.0 already can do this, and since commons-digester
   in TC 4.1 is recent enough, it's easy for TC 4.1 to.



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to