Author: marcusb-guest Date: 2008-10-05 12:15:37 +0000 (Sun, 05 Oct 2008) New Revision: 7117
Modified: trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java trunk/tomcat5.5/debian/changelog Log: Apply fix for CVE-2008-1232 from http://svn.apache.org/viewvc?view=rev&revision=680947. Modified: trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java =================================================================== --- trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/Constants.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -53,4 +53,12 @@ public static final int STAGE_ENDED = 7; + /** + * If true, custom HTTP status messages will be used in headers. + */ + public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER = + Boolean.valueOf(System.getProperty( + "org.apache.coyote.USE_CUSTOM_STATUS_MSG_IN_HEADER", + "false")).booleanValue(); + } Modified: trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java =================================================================== --- trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -429,11 +429,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(HttpMessages.getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line Modified: trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java =================================================================== --- trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -448,11 +448,14 @@ buf[pos++] = Constants.SP; // Write message - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null) { write(getMessage(status)); } else { - write(message); + write(message.replace('\n', ' ').replace('\r', ' ')); } // End the response status line Modified: trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java =================================================================== --- trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -942,7 +942,10 @@ // HTTP header contents responseHeaderMessage.appendInt(response.getStatus()); - String message = response.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = response.getMessage(); + } if (message == null){ message = HttpMessages.getMessage(response.getStatus()); } else { Modified: trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java =================================================================== --- trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/connectors/jk/java/org/apache/jk/common/JkInputStream.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -279,7 +279,10 @@ outputMsg.appendByte(AjpConstants.JK_AJP13_SEND_HEADERS); outputMsg.appendInt( res.getStatus() ); - String message=res.getMessage(); + String message = null; + if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER) { + message = res.getMessage(); + } if( message==null ){ message= HttpMessages.getMessage(res.getStatus()); } else { Modified: trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java =================================================================== --- trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/StandardContextValve.java 2008-10-05 12:15:37 UTC (rev 7117) @@ -119,8 +119,7 @@ || (requestPathMB.equalsIgnoreCase("/META-INF")) || (requestPathMB.startsWithIgnoreCase("/WEB-INF/", 0)) || (requestPathMB.equalsIgnoreCase("/WEB-INF"))) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -136,8 +135,7 @@ // Select the Wrapper to be used for this Request Wrapper wrapper = request.getWrapper(); if (wrapper == null) { - String requestURI = request.getDecodedRequestURI(); - notFound(requestURI, response); + notFound(response); return; } @@ -206,13 +204,12 @@ * application, but currently that code runs at the wrapper level rather * than the context level. * - * @param requestURI The request URI for the requested resource * @param response The response we are creating */ - private void notFound(String requestURI, HttpServletResponse response) { + private void notFound(HttpServletResponse response) { try { - response.sendError(HttpServletResponse.SC_NOT_FOUND, requestURI); + response.sendError(HttpServletResponse.SC_NOT_FOUND); } catch (IllegalStateException e) { ; } catch (IOException e) { Modified: trunk/tomcat5.5/debian/changelog =================================================================== --- trunk/tomcat5.5/debian/changelog 2008-10-05 12:09:51 UTC (rev 7116) +++ trunk/tomcat5.5/debian/changelog 2008-10-05 12:15:37 UTC (rev 7117) @@ -1,3 +1,10 @@ +tomcat5.5 (5.5.26-4) unstable; urgency=high + + * Security issues fixed. + - CVE-2008-1232: Cross-site scripting. + + -- Marcus Better <[EMAIL PROTECTED]> Sun, 05 Oct 2008 14:15:19 +0200 + tomcat5.5 (5.5.26-3) unstable; urgency=high * CVE-2008-1947: Fix XSS issue in host-manager web application. _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
