Author: drazzib
Date: 2012-06-16 23:41:26 +0000 (Sat, 16 Jun 2012)
New Revision: 16134
Added:
branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
Modified:
branches/libspring-2.5-java/squeeze/debian/changelog
branches/libspring-2.5-java/squeeze/debian/patches/series
Log:
* Backport fix for CVE-2011-2730: Spring Framework information disclosure
from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814):
- d/patches/CVE-2011-2730.diff: A new context parameter has been added
called springJspExpressionSupport. When true (the default) the existing
behaviour of evaluating EL within the tag will be performed. When running
in an environment where EL support is provided by the container, it is
strongly recommended that this is set to false
Modified: branches/libspring-2.5-java/squeeze/debian/changelog
===================================================================
--- branches/libspring-2.5-java/squeeze/debian/changelog 2012-06-16
22:07:17 UTC (rev 16133)
+++ branches/libspring-2.5-java/squeeze/debian/changelog 2012-06-16
23:41:26 UTC (rev 16134)
@@ -1,3 +1,15 @@
+libspring-2.5-java (2.5.6.SEC02-2+squeeze1) stable-security; urgency=high
+
+ * Backport fix for CVE-2011-2730: Spring Framework information disclosure
+ from 2.5.6.SEC03 on upstream maintainance repository (Closes: #677814):
+ - d/patches/CVE-2011-2730.diff: A new context parameter has been added
+ called springJspExpressionSupport. When true (the default) the existing
+ behaviour of evaluating EL within the tag will be performed. When running
+ in an environment where EL support is provided by the container, it is
+ strongly recommended that this is set to false
+
+ -- Damien Raude-Morvan <[email protected]> Sun, 17 Jun 2012 00:13:30 +0200
+
libspring-2.5-java (2.5.6.SEC02-2) unstable; urgency=low
[ Miguel Landaeta ]
Added: branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
===================================================================
--- branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
(rev 0)
+++ branches/libspring-2.5-java/squeeze/debian/patches/CVE-2011-2730.diff
2012-06-16 23:41:26 UTC (rev 16134)
@@ -0,0 +1,130 @@
+Description: Fix CVE-2011-2730 in libspring-2.5-java.
+ <URL: http://www.securityfocus.com/archive/1/519586/30/0/threaded>
+ A new context parameter has been added called springJspExpressionSupport.
+ When true (the default) the existing behaviour of evaluating EL within the tag
+ will be performed. When running in an environment where EL support is provided
+ by the container, it is strongly recommended that this is set to false
+From:
https://src.springframework.org/svn/spring-maintenance/tags/release-2-5-6-SEC03/
+Bug-Vendor: http://www.springsource.com/security/cve-2011-2730
+Bug-Debian: http://bugs.debian.org/677814
+--- a/src/org/springframework/web/util/ExpressionEvaluationUtils.java
++++ b/src/org/springframework/web/util/ExpressionEvaluationUtils.java
+@@ -70,6 +70,12 @@
+ public abstract class ExpressionEvaluationUtils {
+
+ /**
++ * Expression support parameter at the servlet context level
++ * (i.e. a context-param in <code>web.xml</code>):
"springJspExpressionSupport".
++ */
++ public static final String EXPRESSION_SUPPORT_CONTEXT_PARAM =
"springJspExpressionSupport";
++
++ /**
+ * JSP 2.0 expression cache parameter at the servlet context level
+ * (i.e. a context-param in <code>web.xml</code>):
"cacheJspExpressions".
+ */
+@@ -122,6 +128,31 @@
+
+
+ /**
++ * Check whether Spring's JSP expression support is actually active.
++ * <p>Note that JSP 2.0+ containers come with expression support
themselves:
++ * However, it will only be active for web applications declaring
Servlet 2.4
++ * or higher in their <code>web.xml</code> deployment descriptor.
++ * <p>If a <code>web.xml</code> context-param named
"springJspExpressionSupport" is
++ * found, its boolean value will be taken to decide whether this
support is active.
++ * If not found, for backwards compatibility with Servlet 2.3
applications,
++ * Spring's expression support will remain active by default.
++ * <p><b>Recommendations:</b> Explicitly set
"springJspExpressionSupport" to "false"
++ * in order to prevent double evaluation for Servlet 2.4+ based
applications.
++ * @param pageContext current JSP PageContext
++ * @return <code>true</code> if active (ExpressionEvaluationUtils will
actually evaluate expressions);
++ * <code>false</code> if not active (ExpressionEvaluationUtils will
return given values as-is,
++ * relying on the JSP container pre-evaluating values before passing
them to JSP tag attributes)
++ */
++ public static boolean isSpringJspExpressionSupportActive(PageContext
pageContext) {
++ ServletContext sc = pageContext.getServletContext();
++ String springJspExpressionSupport =
sc.getInitParameter(EXPRESSION_SUPPORT_CONTEXT_PARAM);
++ if (springJspExpressionSupport != null) {
++ return
Boolean.valueOf(springJspExpressionSupport).booleanValue();
++ }
++ return true;
++ }
++
++ /**
+ * Check if the given expression value is an EL expression.
+ * @param value the expression to check
+ * @return <code>true</code> if the expression is an EL expression,
+@@ -144,9 +175,9 @@
+ * the result class
+ */
+ public static Object evaluate(String attrName, String attrValue, Class
resultClass, PageContext pageContext)
+- throws JspException {
++ throws JspException {
+
+- if (isExpressionLanguage(attrValue)) {
++ if (isSpringJspExpressionSupportActive(pageContext) &&
isExpressionLanguage(attrValue)) {
+ return doEvaluate(attrName, attrValue, resultClass,
pageContext);
+ }
+ else if (attrValue != null && resultClass != null &&
!resultClass.isInstance(attrValue)) {
+@@ -167,9 +198,9 @@
+ * @throws JspException in case of parsing errors
+ */
+ public static Object evaluate(String attrName, String attrValue,
PageContext pageContext)
+- throws JspException {
++ throws JspException {
+
+- if (isExpressionLanguage(attrValue)) {
++ if (isSpringJspExpressionSupportActive(pageContext) &&
isExpressionLanguage(attrValue)) {
+ return doEvaluate(attrName, attrValue, Object.class,
pageContext);
+ }
+ else {
+@@ -186,9 +217,9 @@
+ * @throws JspException in case of parsing errors
+ */
+ public static String evaluateString(String attrName, String attrValue,
PageContext pageContext)
+- throws JspException {
++ throws JspException {
+
+- if (isExpressionLanguage(attrValue)) {
++ if (isSpringJspExpressionSupportActive(pageContext) &&
isExpressionLanguage(attrValue)) {
+ return (String) doEvaluate(attrName, attrValue,
String.class, pageContext);
+ }
+ else {
+@@ -207,7 +238,7 @@
+ public static int evaluateInteger(String attrName, String attrValue,
PageContext pageContext)
+ throws JspException {
+
+- if (isExpressionLanguage(attrValue)) {
++ if (isSpringJspExpressionSupportActive(pageContext) &&
isExpressionLanguage(attrValue)) {
+ return ((Integer) doEvaluate(attrName, attrValue,
Integer.class, pageContext)).intValue();
+ }
+ else {
+@@ -224,9 +255,9 @@
+ * @throws JspException in case of parsing errors
+ */
+ public static boolean evaluateBoolean(String attrName, String
attrValue, PageContext pageContext)
+- throws JspException {
++ throws JspException {
+
+- if (isExpressionLanguage(attrValue)) {
++ if (isSpringJspExpressionSupportActive(pageContext) &&
isExpressionLanguage(attrValue)) {
+ return ((Boolean) doEvaluate(attrName, attrValue,
Boolean.class, pageContext)).booleanValue();
+ }
+ else {
+--- a/test/org/springframework/web/util/ExpressionEvaluationUtilsTests.java
++++ b/test/org/springframework/web/util/ExpressionEvaluationUtilsTests.java
+@@ -37,6 +37,14 @@
+ */
+ public class ExpressionEvaluationUtilsTests extends TestCase {
+
++ public void testIsSpringJspExpressionSupportActive() {
++ MockServletContext sc = new MockServletContext();
++ PageContext pc = new MockPageContext(sc);
++
assertTrue(ExpressionEvaluationUtils.isSpringJspExpressionSupportActive(pc));
++ sc.addInitParameter("springJspExpressionSupport", "false");
++
assertFalse(ExpressionEvaluationUtils.isSpringJspExpressionSupportActive(pc));
++ }
++
+ public void testIsExpressionLanguage() {
+
assertTrue(ExpressionEvaluationUtils.isExpressionLanguage("${bla}"));
+
assertTrue(ExpressionEvaluationUtils.isExpressionLanguage("bla${bla}"));
Modified: branches/libspring-2.5-java/squeeze/debian/patches/series
===================================================================
--- branches/libspring-2.5-java/squeeze/debian/patches/series 2012-06-16
22:07:17 UTC (rev 16133)
+++ branches/libspring-2.5-java/squeeze/debian/patches/series 2012-06-16
23:41:26 UTC (rev 16134)
@@ -13,3 +13,4 @@
14_portlet_api.diff
15_fix_build_with_asm3.diff
16_commonj.diff
+CVE-2011-2730.diff
_______________________________________________
pkg-java-commits mailing list
[email protected]
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
