[gentoo-commits] repo/gentoo:master commit in: www-servers/tomcat/, www-servers/tomcat/files/

Thu, 19 May 2016 12:58:57 -0700 

commit:     a7b38fffb499e7639620acd866ba5a249a3c6497
Author:     Miroslav Šulc <fordfrog <AT> gentoo <DOT> org>
AuthorDate: Thu May 19 19:58:16 2016 +0000
Commit:     Miroslav Šulc <fordfrog <AT> gentoo <DOT> org>
CommitDate: Thu May 19 19:58:35 2016 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a7b38fff

www-servers/tomcat: backported patch from M7 which fixes NPE in 
StandardJarScanner.processManifest()

Package-Manager: portage-2.3.0_rc1

 .../tomcat-9.0.0_alpha6-processmanifest.patch      | 76 ++++++++++++++++++++++
 ...alpha6.ebuild => tomcat-9.0.0_alpha6-r1.ebuild} |  2 +-
 2 files changed, 77 insertions(+), 1 deletion(-)

diff --git a/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch 
b/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch
new file mode 100644
index 0000000..fa38d5d
--- /dev/null
+++ b/www-servers/tomcat/files/tomcat-9.0.0_alpha6-processmanifest.patch
@@ -0,0 +1,76 @@
+--- tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java      
2016/05/04 11:07:55     1742251
++++ tomcat/trunk/java/org/apache/tomcat/util/scan/StandardJarScanner.java      
2016/05/17 07:18:38     1744194
+@@ -370,40 +370,42 @@
+         }
+ 
+         Manifest manifest = jar.getManifest();
+-        Attributes attributes = manifest.getMainAttributes();
+-        String classPathAttribute = attributes.getValue("Class-Path");
+-        if (classPathAttribute == null) {
+-            return;
+-        }
+-        String[] classPathEntries = classPathAttribute.split(" ");
+-        for (String classPathEntry : classPathEntries) {
+-            classPathEntry = classPathEntry.trim();
+-            if (classPathEntry.length() == 0) {
+-                continue;
++        if (manifest != null) {
++            Attributes attributes = manifest.getMainAttributes();
++            String classPathAttribute = attributes.getValue("Class-Path");
++            if (classPathAttribute == null) {
++                return;
+             }
+-            URL jarURL = jar.getJarFileURL();
+-            URI jarURI;
+-            try {
+-                jarURI = jarURL.toURI();
+-            } catch (URISyntaxException e) {
+-                if (log.isDebugEnabled()) {
+-                    log.debug(sm.getString("jarScan.invalidUri", jarURL));
++            String[] classPathEntries = classPathAttribute.split(" ");
++            for (String classPathEntry : classPathEntries) {
++                classPathEntry = classPathEntry.trim();
++                if (classPathEntry.length() == 0) {
++                    continue;
++                }
++                URL jarURL = jar.getJarFileURL();
++                URI jarURI;
++                try {
++                    jarURI = jarURL.toURI();
++                } catch (URISyntaxException e) {
++                    if (log.isDebugEnabled()) {
++                        log.debug(sm.getString("jarScan.invalidUri", jarURL));
++                    }
++                    continue;
+                 }
+-                continue;
++                /*
++                 * Note: Resolving the relative URLs from the manifest has the
++                 *       potential to introduce security concerns. However, 
since
++                 *       only JARs provided by the container and NOT those 
provided
++                 *       by web applications are processed, there should be no
++                 *       issues.
++                 *       If this feature is ever extended to include JARs 
provided
++                 *       by web applications, checks should be added to 
ensure that
++                 *       any relative URL does not step outside the web 
application.
++                 */
++                URI classPathEntryURI = jarURI.resolve(classPathEntry);
++                URL classPathEntryURL = classPathEntryURI.toURL();
++                classPathUrlsToProcess.add(classPathEntryURL);
+             }
+-            /*
+-             * Note: Resolving the relative URLs from the manifest has the
+-             *       potential to introduce security concerns. However, since
+-             *       only JARs provided by the container and NOT those 
provided
+-             *       by web applications are processed, there should be no
+-             *       issues.
+-             *       If this feature is ever extended to include JARs provided
+-             *       by web applications, checks should be added to ensure 
that
+-             *       any relative URL does not step outside the web 
application.
+-             */
+-            URI classPathEntryURI = jarURI.resolve(classPathEntry);
+-            URL classPathEntryURL = classPathEntryURI.toURL();
+-            classPathUrlsToProcess.add(classPathEntryURL);
+         }
+     }
+ 

diff --git a/www-servers/tomcat/tomcat-9.0.0_alpha6.ebuild 
b/www-servers/tomcat/tomcat-9.0.0_alpha6-r1.ebuild
similarity index 98%
rename from www-servers/tomcat/tomcat-9.0.0_alpha6.ebuild
rename to www-servers/tomcat/tomcat-9.0.0_alpha6-r1.ebuild
index 438086b..21e76fb 100644
--- a/www-servers/tomcat/tomcat-9.0.0_alpha6.ebuild
+++ b/www-servers/tomcat/tomcat-9.0.0_alpha6-r1.ebuild
@@ -52,7 +52,7 @@ java_prepare() {
        # Remove bundled servlet-api
        rm -rv java/javax/{el,servlet} || die
 
-       epatch "${FILESDIR}/${P}-build.xml.patch"
+       epatch "${FILESDIR}/${P}-build.xml.patch" 
"${FILESDIR}/${P}-processmanifest.patch"
 
        # For use of catalina.sh in netbeans
        sed -i -e "/^# ----- Execute The Requested Command/ a\

Reply via email to