Author: marcusb-guest Date: 2008-10-05 12:19:16 +0000 (Sun, 05 Oct 2008) New Revision: 7119
Modified: trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java trunk/tomcat5.5/debian/changelog Log: Apply fix for CVE-2008-2938 from http://svn.apache.org/viewvc?view=rev&revision=681065. Modified: trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java =================================================================== --- trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java 2008-10-05 12:18:06 UTC (rev 7118) +++ trunk/tomcat5.5/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java 2008-10-05 12:19:16 UTC (rev 7119) @@ -264,6 +264,13 @@ } } + // Check that the URI is still normalized + if (!checkNormalize(req.decodedURI())) { + res.setStatus(400); + res.setMessage("Invalid URI character encoding"); + throw new IOException("Invalid URI character encoding"); + } + // Parse cookies parseCookies(req, request); @@ -654,6 +661,67 @@ } + /** + * Check that the URI is normalized following character decoding. + * <p> + * This method checks for "\", 0, "//", "/./" and "/../". This method will + * return false if sequences that are supposed to be normalized are still + * present in the URI. + * + * @param uriMB URI to be checked (should be chars) + */ + public static boolean checkNormalize(MessageBytes uriMB) { + + CharChunk uriCC = uriMB.getCharChunk(); + char[] c = uriCC.getChars(); + int start = uriCC.getStart(); + int end = uriCC.getEnd(); + + int pos = 0; + + // Check for '\' and 0 + for (pos = start; pos < end; pos++) { + if (c[pos] == '\\') { + return false; + } + if (c[pos] == 0) { + return false; + } + } + + // Check for "//" + for (pos = start; pos < (end - 1); pos++) { + if (c[pos] == '/') { + if (c[pos + 1] == '/') { + return false; + } + } + } + + // Check for ending with "/." or "/.." + if (((end - start) >= 2) && (c[end - 1] == '.')) { + if ((c[end - 2] == '/') + || ((c[end - 2] == '.') + && (c[end - 3] == '/'))) { + return false; + } + } + + // Check for "/./" + if (uriCC.indexOf("/./", 0, 3, 0) >= 0) { + return false; + } + + // Check for "/../" + if (uriCC.indexOf("/../", 0, 4, 0) >= 0) { + return false; + } + + return true; + + } + + // ------------------------------------------------------ Protected Methods Modified: trunk/tomcat5.5/debian/changelog =================================================================== --- trunk/tomcat5.5/debian/changelog 2008-10-05 12:18:06 UTC (rev 7118) +++ trunk/tomcat5.5/debian/changelog 2008-10-05 12:19:16 UTC (rev 7119) @@ -3,6 +3,7 @@ * Security issues fixed. - CVE-2008-1232: Cross-site scripting - CVE-2008-2370: Information disclosure + - CVE-2008-2938: Directory traversal -- Marcus Better <[EMAIL PROTECTED]> Sun, 05 Oct 2008 14:15:19 +0200 _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
