This is an automated email from the git hooks/post-receive script.

apo pushed a commit to branch wheezy
in repository jackrabbit.

commit 9c45d69e03e1d0fdb31ea3662d6c6b65d984f696
Author: Markus Koschany <a...@debian.org>
Date:   Sun Sep 18 16:53:45 2016 +0200

    Import Debian patch 2.3.6-1+deb7u2
---
 .gitignore                         |   1 -
 debian/changelog                   |  11 +++
 debian/patches/CVE-2016-6801.patch | 192 +++++++++++++++++++++++++++++++++++++
 debian/patches/series              |   1 +
 4 files changed, 204 insertions(+), 1 deletion(-)

diff --git a/.gitignore b/.gitignore
deleted file mode 100644
index 845ca06..0000000
--- a/.gitignore
+++ /dev/null
@@ -1 +0,0 @@
-.pc
diff --git a/debian/changelog b/debian/changelog
index 1c193fd..2f15a38 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,14 @@
+jackrabbit (2.3.6-1+deb7u2) wheezy-security; urgency=high
+
+  * Non-maintainer upload by the LTS team.
+  * Fix CVE-2016-6801:
+    The CSRF content-type check for POST requests did not handle missing
+    Content-Type header fields, nor variations in field values with respect to
+    upper/lower case or optional parameters. This could be exploited to create
+    a resource via CSRF.
+
+ -- Markus Koschany <a...@debian.org>  Sun, 18 Sep 2016 16:53:45 +0200
+
 jackrabbit (2.3.6-1+deb7u1) wheezy-security; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/CVE-2016-6801.patch 
b/debian/patches/CVE-2016-6801.patch
new file mode 100644
index 0000000..7ad632c
--- /dev/null
+++ b/debian/patches/CVE-2016-6801.patch
@@ -0,0 +1,192 @@
+From: Markus Koschany <a...@debian.org>
+Date: Sun, 18 Sep 2016 16:46:33 +0200
+Subject: CVE-2016-6801
+
+The CSRF content-type check for POST requests did not handle missing
+Content-Type header fields, nor variations in field values with respect to
+upper/lower case or optional parameters. This could be exploited to create a
+resource via CSRF.
+
+Backported to the 2.3 branch.
+
+Origin: https://svn.apache.org/viewvc?view=revision&revision=1758791
+---
+ .../apache/jackrabbit/spi2davex/PostMethod.java    |  1 +
+ .../org/apache/jackrabbit/webdav/DavResource.java  |  2 +-
+ .../webdav/server/AbstractWebdavServlet.java       |  3 +-
+ .../apache/jackrabbit/webdav/util/CSRFUtil.java    | 83 ++++++++++++++++++----
+ 4 files changed, 74 insertions(+), 15 deletions(-)
+
+diff --git 
a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
 
b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+index 5355a72..f6e243c 100644
+--- 
a/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
++++ 
b/jackrabbit-spi2dav/src/main/java/org/apache/jackrabbit/spi2davex/PostMethod.java
+@@ -47,6 +47,7 @@ class PostMethod extends DavMethodBase {
+ 
+     public PostMethod(String uri) {
+         super(uri);
++        super.setRequestHeader("Referer", uri);
+         HttpMethodParams params = getParams();
+         params.setContentCharset("UTF-8");
+     }
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+index c99b5cd..6e70a42 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/DavResource.java
+@@ -40,7 +40,7 @@ public interface DavResource {
+     /**
+      * String constant representing the WebDAV 1 and 2 method set.
+      */
+-    public static final String METHODS = "OPTIONS, GET, HEAD, POST, TRACE, 
PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
++    public static final String METHODS = "OPTIONS, GET, HEAD, TRACE, 
PROPFIND, PROPPATCH, MKCOL, COPY, PUT, DELETE, MOVE, LOCK, UNLOCK";
+ 
+     /**
+      * Returns a comma separated list of all compliance classes the given
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+index 128946e..a1bdbf4 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/server/AbstractWebdavServlet.java
+@@ -568,7 +568,7 @@ abstract public class AbstractWebdavServlet extends 
HttpServlet implements DavCo
+      */
+     protected void doPost(WebdavRequest request, WebdavResponse response,
+                           DavResource resource) throws IOException, 
DavException {
+-        doPut(request, response, resource);
++        response.sendError(HttpServletResponse.SC_METHOD_NOT_ALLOWED);
+     }
+ 
+     /**
+@@ -1356,7 +1356,6 @@ abstract public class AbstractWebdavServlet extends 
HttpServlet implements DavCo
+      * @param out
+      * @return
+      * @see #doPut(WebdavRequest, WebdavResponse, DavResource)
+-     * @see #doPost(WebdavRequest, WebdavResponse, DavResource)
+      * @see #doMkCol(WebdavRequest, WebdavResponse, DavResource)
+      */
+     protected OutputContext getOutputContext(DavServletResponse response, 
OutputStream out) {
+diff --git 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+index 4d431eb..b5fc8f4 100644
+--- 
a/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
++++ 
b/jackrabbit-webdav/src/main/java/org/apache/jackrabbit/webdav/util/CSRFUtil.java
+@@ -19,12 +19,18 @@ package org.apache.jackrabbit.webdav.util;
+ import org.slf4j.Logger;
+ import org.slf4j.LoggerFactory;
+ 
+-import javax.servlet.http.HttpServletRequest;
+-import java.net.MalformedURLException;
+-import java.net.URL;
++import java.net.URI;
++import java.net.URISyntaxException;
++import java.util.Arrays;
+ import java.util.Collections;
++import java.util.Enumeration;
+ import java.util.HashSet;
+ import java.util.Set;
++import java.util.Locale;
++import javax.servlet.http.HttpServletRequest;
++
++import org.slf4j.Logger;
++import org.slf4j.LoggerFactory;
+ 
+ /**
+  * <code>CSRFUtil</code>...
+@@ -37,6 +43,19 @@ public class CSRFUtil {
+     public static final String DISABLED = "disabled";
+ 
+     /**
++     * Request content types for CSRF checking, see JCR-3909, JCR-4002, and 
JCR-4009
++     */
++    public static final Set<String> CONTENT_TYPES = 
Collections.unmodifiableSet(new HashSet<String>(
++            Arrays.asList(
++                    new String[] {
++                            "application/x-www-form-urlencoded",
++                            "multipart/form-data",
++                            "text/plain"
++                    }
++            )
++    ));
++
++    /**
+      * logger instance
+      */
+     private static final Logger log = LoggerFactory.getLogger(CSRFUtil.class);
+@@ -77,6 +96,7 @@ public class CSRFUtil {
+         if (config == null || config.length() == 0) {
+             disabled = false;
+             allowedReferrerHosts = Collections.emptySet();
++            log.debug("CSRF protection disabled");
+         } else {
+             if (DISABLED.equalsIgnoreCase(config.trim())) {
+                 disabled = true;
+@@ -89,23 +109,62 @@ public class CSRFUtil {
+                     allowedReferrerHosts.add(entry.trim());
+                 }
+             }
++            log.debug("CSRF protection enabled, allowed referrers: " + 
allowedReferrerHosts);
+         }
+     }
+ 
+-    public boolean isValidRequest(HttpServletRequest request) throws 
MalformedURLException {
++  public boolean isValidRequest(HttpServletRequest request) {
++
+         if (disabled) {
+             return true;
++        } else if (!"POST".equals(request.getMethod())) {
++            // protection only needed for POST
++            return true;
+         } else {
++            Enumeration<String> cts = (Enumeration<String>) 
request.getHeaders("Content-Type");
++            String ct = null;
++            if (cts != null && cts.hasMoreElements()) {
++                String t = cts.nextElement();
++                // prune parameters
++                int semicolon = t.indexOf(';');
++                if (semicolon >= 0) {
++                    t = t.substring(0, semicolon);
++                }
++                ct = t.trim().toLowerCase(Locale.ENGLISH);
++            }
++            if (cts != null && cts.hasMoreElements()) {
++                // reject if there are more header field instances
++                log.debug("request blocked because there were multiple 
content-type header fields");
++                return false;
++            }
++            if (ct != null && !CONTENT_TYPES.contains(ct)) {
++                // type present and not in blacklist
++                return true;
++            }
++
+             String refHeader = request.getHeader("Referer");
++            // empty referrer headers are not allowed for POST + relevant
++            // content types (see JCR-3909)
+             if (refHeader == null) {
+-                // empty referrer is always allowed
+-                return true;
+-            } else {
+-                String host = new URL(refHeader).getHost();
+-                // test referrer-host equelst server or
+-                // if it is contained in the set of explicitly allowed host 
names
+-                return host.equals(request.getServerName()) || 
allowedReferrerHosts.contains(host);
++                log.debug("POST with content type" + ct + " blocked due to 
missing referer header field");
++                return false;
++            }
++
++            try {
++                String host = new URI(refHeader).getHost();
++                // test referrer-host equals server or
++                // if it is contained in the set of explicitly allowed host
++                // names
++                boolean ok = host == null || 
host.equals(request.getServerName()) || allowedReferrerHosts.contains(host);
++                if (!ok) {
++                    log.debug("POST with content type" + ct + " blocked due 
to referer header field being: " + refHeader);
++                }
++                return ok;
++            } catch (URISyntaxException ex) {
++                // referrer malformed -> block access
++                log.debug("POST with content type" + ct + " blocked due to 
malformed referer header field: " + refHeader);
++                return false;
+             }
+         }
+     }
+-}
+\ No newline at end of file
++}
diff --git a/debian/patches/series b/debian/patches/series
index 7c77d0f..df13c07 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1,3 +1,4 @@
 modules.diff
 servlet_api_25.diff
 CVE-2015-1833.patch
+CVE-2016-6801.patch

-- 
Alioth's /usr/local/bin/git-commit-notice on 
/srv/git.debian.org/git/pkg-java/jackrabbit.git

_______________________________________________
pkg-java-commits mailing list
pkg-java-commits@lists.alioth.debian.org
http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits

Reply via email to