[pkg-java] r7118 - in trunk/tomcat5.5: container/catalina/src/share/org/apache/catalina/core debian

Sun, 05 Oct 2008 05:18:13 -0700 

Author: marcusb-guest
Date: 2008-10-05 12:18:06 +0000 (Sun, 05 Oct 2008)
New Revision: 7118

Modified:
   
trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
   trunk/tomcat5.5/debian/changelog
Log:
Apply fix for CVE-2008-2370 from 
http://svn.apache.org/viewvc?view=rev&revision=680949.


Modified: 
trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
===================================================================
--- 
trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
       2008-10-05 12:15:37 UTC (rev 7117)
+++ 
trunk/tomcat5.5/container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java
       2008-10-05 12:18:06 UTC (rev 7118)
@@ -379,10 +379,21 @@
             throw new IllegalArgumentException
                 (sm.getString
                  ("applicationContext.requestDispatcher.iae", path));
+
+        // Get query string
+        String queryString = null;
+        int pos = path.indexOf('?');
+        if (pos >= 0) {
+            queryString = path.substring(pos + 1);
+            path = path.substring(0, pos); 
+        }
+ 
         path = normalize(path);
         if (path == null)
             return (null);
 
+        pos = path.length();
+
         // Retrieve the thread local URI
         MessageBytes uriMB = (MessageBytes) localUriMB.get();
         if (uriMB == null) {
@@ -394,15 +405,6 @@
             uriMB.recycle();
         }
 
-        // Get query string
-        String queryString = null;
-        int pos = path.indexOf('?');
-        if (pos >= 0) {
-            queryString = path.substring(pos + 1);
-        } else {
-            pos = path.length();
-        }
- 
         // Retrieve the thread local mapping data
         MappingData mappingData = (MappingData) localMappingData.get();
         if (mappingData == null) {

Modified: trunk/tomcat5.5/debian/changelog
===================================================================
--- trunk/tomcat5.5/debian/changelog    2008-10-05 12:15:37 UTC (rev 7117)
+++ trunk/tomcat5.5/debian/changelog    2008-10-05 12:18:06 UTC (rev 7118)
@@ -1,7 +1,8 @@
 tomcat5.5 (5.5.26-4) unstable; urgency=high
 
   * Security issues fixed.
-    - CVE-2008-1232: Cross-site scripting.
+    - CVE-2008-1232: Cross-site scripting
+    - CVE-2008-2370: Information disclosure
 
  -- Marcus Better <[EMAIL PROTECTED]>  Sun, 05 Oct 2008 14:15:19 +0200
 


_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits

Reply via email to