This is an automated email from the git hooks/post-receive script. ebourg-guest pushed a commit to branch jessie in repository tomcat8.
commit ce1bb3420c7b2deb152b279581d73f70bdf06b05 Author: Emmanuel Bourg <[email protected]> Date: Wed Jun 22 18:57:40 2016 +0200 Removed the code style changes from the patches --- debian/patches/CVE-2015-5174.patch | 88 +++----------------------------------- debian/patches/CVE-2015-5345.patch | 79 ++++++++-------------------------- debian/patches/CVE-2016-0714.patch | 8 ---- 3 files changed, 26 insertions(+), 149 deletions(-) diff --git a/debian/patches/CVE-2015-5174.patch b/debian/patches/CVE-2015-5174.patch index 19ffa3b..989a383 100644 --- a/debian/patches/CVE-2015-5174.patch +++ b/debian/patches/CVE-2015-5174.patch @@ -10,38 +10,9 @@ Origin: https://svn.apache.org/viewvc?view=revision&revision=1700897 webapps/docs/changelog.xml | 11 +++ 3 files changed, 135 insertions(+), 21 deletions(-) -diff --git a/java/org/apache/tomcat/util/http/RequestUtil.java b/java/org/apache/tomcat/util/http/RequestUtil.java -index ebe4f34..1ee4bca 100644 --- a/java/org/apache/tomcat/util/http/RequestUtil.java +++ b/java/org/apache/tomcat/util/http/RequestUtil.java -@@ -30,6 +30,9 @@ public class RequestUtil { - * try to perform security checks for malicious input. - * - * @param path Relative path to be normalized -+ * -+ * @return The normalized path or <code>null</code> of the path cannot be -+ * normalized - */ - public static String normalize(String path) { - return normalize(path, true); -@@ -44,11 +47,15 @@ public class RequestUtil { - * - * @param path Relative path to be normalized - * @param replaceBackSlash Should '\\' be replaced with '/' -+ * -+ * @return The normalized path or <code>null</code> of the path cannot be -+ * normalized - */ - public static String normalize(String path, boolean replaceBackSlash) { - -- if (path == null) -+ if (path == null) { - return null; -+ } - - // Create a place for the normalized path - String normalized = path; -@@ -56,9 +63,6 @@ public class RequestUtil { +@@ -56,9 +56,6 @@ if (replaceBackSlash && normalized.indexOf('\\') >= 0) normalized = normalized.replace('\\', '/'); @@ -51,67 +22,24 @@ index ebe4f34..1ee4bca 100644 // Add a leading "/" if necessary if (!normalized.startsWith("/")) normalized = "/" + normalized; -@@ -66,34 +70,43 @@ public class RequestUtil { - // Resolve occurrences of "//" in the normalized path - while (true) { - int index = normalized.indexOf("//"); -- if (index < 0) -+ if (index < 0) { - break; -- normalized = normalized.substring(0, index) + -- normalized.substring(index + 1); -+ } -+ normalized = normalized.substring(0, index) + normalized.substring(index + 1); +@@ -93,6 +90,14 @@ + normalized.substring(index + 3); } - // Resolve occurrences of "/./" in the normalized path - while (true) { - int index = normalized.indexOf("/./"); -- if (index < 0) -+ if (index < 0) { - break; -- normalized = normalized.substring(0, index) + -- normalized.substring(index + 2); -+ } -+ normalized = normalized.substring(0, index) + normalized.substring(index + 2); - } - - // Resolve occurrences of "/../" in the normalized path - while (true) { - int index = normalized.indexOf("/../"); -- if (index < 0) -+ if (index < 0) { - break; -- if (index == 0) -- return (null); // Trying to go outside our context -+ } -+ if (index == 0) { -+ return null; // Trying to go outside our context -+ } - int index2 = normalized.lastIndexOf('/', index - 1); -- normalized = normalized.substring(0, index2) + -- normalized.substring(index + 3); -+ normalized = normalized.substring(0, index2) + normalized.substring(index + 3); -+ } -+ + if (normalized.equals("/.")) { + return "/"; + } + + if (normalized.equals("/..")) { + return null; // Trying to go outside our context - } - ++ } ++ // Return the normalized path that we have completed -- return (normalized); -+ return normalized; + return (normalized); } - } -diff --git a/test/org/apache/tomcat/util/http/TestRequestUtil.java b/test/org/apache/tomcat/util/http/TestRequestUtil.java -index fe3115f..f50098c 100644 --- a/test/org/apache/tomcat/util/http/TestRequestUtil.java +++ b/test/org/apache/tomcat/util/http/TestRequestUtil.java -@@ -23,11 +23,101 @@ import org.junit.Test; +@@ -23,11 +23,101 @@ public class TestRequestUtil { @Test @@ -218,8 +146,6 @@ index fe3115f..f50098c 100644 + assertEquals(expected,RequestUtil.normalize(input)); + } } -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index a89b75e..f552c88 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -1857,6 +1857,10 @@ diff --git a/debian/patches/CVE-2015-5345.patch b/debian/patches/CVE-2015-5345.patch index dc39b90..4e1547f 100644 --- a/debian/patches/CVE-2015-5345.patch +++ b/debian/patches/CVE-2015-5345.patch @@ -20,11 +20,9 @@ Origin: https://svn.apache.org/viewvc?view=revision&revision=1717209 webapps/docs/config/context.xml | 16 ++++++ 13 files changed, 276 insertions(+), 19 deletions(-) -diff --git a/java/org/apache/catalina/Context.java b/java/org/apache/catalina/Context.java -index a871b99..84c2a60 100644 --- a/java/org/apache/catalina/Context.java +++ b/java/org/apache/catalina/Context.java -@@ -1674,4 +1674,44 @@ public interface Context extends Container { +@@ -1674,4 +1674,44 @@ * processing cookies using the RFC6265 based cookie parser. */ public Charset getCookieEncodingCharset(); @@ -69,11 +67,9 @@ index a871b99..84c2a60 100644 + */ + public boolean getMapperDirectoryRedirectEnabled(); } -diff --git a/java/org/apache/catalina/authenticator/FormAuthenticator.java b/java/org/apache/catalina/authenticator/FormAuthenticator.java -index 57a3cd7..4933d03 100644 --- a/java/org/apache/catalina/authenticator/FormAuthenticator.java +++ b/java/org/apache/catalina/authenticator/FormAuthenticator.java -@@ -241,6 +241,20 @@ public class FormAuthenticator +@@ -241,6 +241,20 @@ // No -- Save this request and redirect to the form login page if (!loginAction) { @@ -94,11 +90,9 @@ index 57a3cd7..4933d03 100644 session = request.getSessionInternal(true); if (log.isDebugEnabled()) { log.debug("Save request in session '" + session.getIdInternal() + "'"); -diff --git a/java/org/apache/catalina/core/StandardContext.java b/java/org/apache/catalina/core/StandardContext.java -index f47dd3f..0615e26 100644 --- a/java/org/apache/catalina/core/StandardContext.java +++ b/java/org/apache/catalina/core/StandardContext.java -@@ -828,9 +828,44 @@ public class StandardContext extends ContainerBase +@@ -828,9 +828,44 @@ private boolean useRfc6265 = false; private Charset cookieEncoding = StandardCharsets.UTF_8; @@ -143,8 +137,6 @@ index f47dd3f..0615e26 100644 @Override public void setUseRfc6265(boolean useRfc6265) { -diff --git a/java/org/apache/catalina/core/mbeans-descriptors.xml b/java/org/apache/catalina/core/mbeans-descriptors.xml -index 64fe285..27847bf 100644 --- a/java/org/apache/catalina/core/mbeans-descriptors.xml +++ b/java/org/apache/catalina/core/mbeans-descriptors.xml @@ -181,6 +181,14 @@ @@ -162,11 +154,9 @@ index 64fe285..27847bf 100644 <attribute name="namingContextListener" description="Associated naming context listener." type="org.apache.catalina.core.NamingContextListener" /> -diff --git a/java/org/apache/catalina/mapper/Mapper.java b/java/org/apache/catalina/mapper/Mapper.java -index a40b257..0c57145 100644 --- a/java/org/apache/catalina/mapper/Mapper.java +++ b/java/org/apache/catalina/mapper/Mapper.java -@@ -830,20 +830,13 @@ public final class Mapper { +@@ -830,20 +830,13 @@ int pathOffset = path.getOffset(); int pathEnd = path.getEnd(); @@ -189,7 +179,7 @@ index a40b257..0c57145 100644 path.setOffset(servletPath); // Rule 1 -- Exact Match -@@ -878,10 +871,13 @@ public final class Mapper { +@@ -878,8 +871,11 @@ } } @@ -200,12 +190,9 @@ index a40b257..0c57145 100644 + path.append('/'); + pathEnd = path.getEnd(); mappingData.redirectPath.setChars -- (path.getBuffer(), pathOffset, pathEnd-pathOffset); -+ (path.getBuffer(), pathOffset, pathEnd - pathOffset); + (path.getBuffer(), pathOffset, pathEnd-pathOffset); path.setEnd(pathEnd - 1); - return; - } -@@ -996,9 +992,15 @@ public final class Mapper { +@@ -996,9 +992,15 @@ char[] buf = path.getBuffer(); if (contextVersion.resources != null && buf[pathEnd -1 ] != '/') { String pathStr = path.toString(); @@ -224,7 +211,7 @@ index a40b257..0c57145 100644 // Note: this mutates the path: do not do any processing // after this (since we set the redirectPath, there // shouldn't be any) -@@ -1015,7 +1017,6 @@ public final class Mapper { +@@ -1015,7 +1017,6 @@ path.setOffset(pathOffset); path.setEnd(pathEnd); @@ -232,11 +219,9 @@ index a40b257..0c57145 100644 } -diff --git a/java/org/apache/catalina/servlets/DefaultServlet.java b/java/org/apache/catalina/servlets/DefaultServlet.java -index cbf65b6..021425c 100644 --- a/java/org/apache/catalina/servlets/DefaultServlet.java +++ b/java/org/apache/catalina/servlets/DefaultServlet.java -@@ -342,6 +342,10 @@ public class DefaultServlet extends HttpServlet { +@@ -342,6 +342,10 @@ * @param request The servlet request we are processing */ protected String getRelativePath(HttpServletRequest request) { @@ -247,7 +232,7 @@ index cbf65b6..021425c 100644 // IMPORTANT: DefaultServlet can be mapped to '/' or '/path/*' but always // serves resources from the web app root with context rooted paths. // i.e. it can not be used to mount the web app root under a sub-path -@@ -703,7 +707,8 @@ public class DefaultServlet extends HttpServlet { +@@ -703,7 +707,8 @@ boolean serveContent = content; // Identify the requested resource path @@ -257,7 +242,7 @@ index cbf65b6..021425c 100644 if (debug > 0) { if (serveContent) log("DefaultServlet.serveResource: Serving resource '" + -@@ -713,6 +718,12 @@ public class DefaultServlet extends HttpServlet { +@@ -713,6 +718,12 @@ path + "' headers only"); } @@ -270,7 +255,7 @@ index cbf65b6..021425c 100644 WebResource resource = resources.getResource(path); if (!resource.exists()) { -@@ -827,6 +838,11 @@ public class DefaultServlet extends HttpServlet { +@@ -827,6 +838,11 @@ long contentLength = -1L; if (resource.isDirectory()) { @@ -282,7 +267,7 @@ index cbf65b6..021425c 100644 // Skip directory listings if we have been configured to // suppress them if (!listings) { -@@ -1032,6 +1048,16 @@ public class DefaultServlet extends HttpServlet { +@@ -1032,6 +1048,16 @@ } } @@ -299,11 +284,9 @@ index cbf65b6..021425c 100644 /** * Parse the content-range header. -diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java b/java/org/apache/catalina/servlets/WebdavServlet.java -index 7bccf76..1303d99 100644 --- a/java/org/apache/catalina/servlets/WebdavServlet.java +++ b/java/org/apache/catalina/servlets/WebdavServlet.java -@@ -375,6 +375,11 @@ public class WebdavServlet +@@ -375,6 +375,11 @@ */ @Override protected String getRelativePath(HttpServletRequest request) { @@ -315,11 +298,9 @@ index 7bccf76..1303d99 100644 // Are we being processed by a RequestDispatcher.include()? if (request.getAttribute( RequestDispatcher.INCLUDE_REQUEST_URI) != null) { -diff --git a/java/org/apache/catalina/startup/FailedContext.java b/java/org/apache/catalina/startup/FailedContext.java -index 73c6bf4..166ab45 100644 --- a/java/org/apache/catalina/startup/FailedContext.java +++ b/java/org/apache/catalina/startup/FailedContext.java -@@ -771,4 +771,21 @@ public class FailedContext extends LifecycleMBeanBase implements Context { +@@ -771,4 +771,21 @@ @Override public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; } @@ -343,11 +324,9 @@ index 73c6bf4..166ab45 100644 + public boolean getMapperDirectoryRedirectEnabled() { return false; } + +} -diff --git a/test/org/apache/catalina/core/TesterContext.java b/test/org/apache/catalina/core/TesterContext.java -index ac4d945..36bfdfe 100644 --- a/test/org/apache/catalina/core/TesterContext.java +++ b/test/org/apache/catalina/core/TesterContext.java -@@ -1238,4 +1238,21 @@ public class TesterContext implements Context { +@@ -1238,4 +1238,21 @@ @Override public Charset getCookieEncodingCharset() { return StandardCharsets.UTF_8; } @@ -369,11 +348,9 @@ index ac4d945..36bfdfe 100644 + public boolean getMapperDirectoryRedirectEnabled() { return false; } + } -diff --git a/test/org/apache/catalina/mapper/TestMapperWebapps.java b/test/org/apache/catalina/mapper/TestMapperWebapps.java -index 9014efd..3778fdf 100644 --- a/test/org/apache/catalina/mapper/TestMapperWebapps.java +++ b/test/org/apache/catalina/mapper/TestMapperWebapps.java -@@ -18,6 +18,7 @@ package org.apache.catalina.mapper; +@@ -18,6 +18,7 @@ import java.io.File; import java.io.IOException; @@ -381,7 +358,7 @@ index 9014efd..3778fdf 100644 import java.util.HashMap; import java.util.List; -@@ -33,7 +34,10 @@ import org.apache.catalina.Context; +@@ -33,7 +34,10 @@ import org.apache.catalina.core.StandardContext; import org.apache.catalina.startup.Tomcat; import org.apache.catalina.startup.TomcatBaseTest; @@ -392,7 +369,7 @@ index 9014efd..3778fdf 100644 import org.apache.tomcat.websocket.server.WsContextListener; /** -@@ -226,6 +230,66 @@ public class TestMapperWebapps extends TomcatBaseTest{ +@@ -226,6 +230,66 @@ Assert.assertEquals(HttpServletResponse.SC_NOT_FOUND, rc); } @@ -459,22 +436,6 @@ index 9014efd..3778fdf 100644 /** * Prepare a string to search in messages that contain a timestamp, when it * is known that the timestamp was printed between {@code timeA} and -diff --git a/test/org/apache/catalina/startup/TomcatBaseTest.java b/test/org/apache/catalina/startup/TomcatBaseTest.java -index 2808317..0856ea6 100644 ---- a/test/org/apache/catalina/startup/TomcatBaseTest.java -+++ b/test/org/apache/catalina/startup/TomcatBaseTest.java -@@ -233,8 +233,7 @@ public abstract class TomcatBaseTest extends LoggingBaseTest { - String method) throws IOException { - - URL url = new URL(path); -- HttpURLConnection connection = -- (HttpURLConnection) url.openConnection(); -+ HttpURLConnection connection = (HttpURLConnection) url.openConnection(); - connection.setUseCaches(false); - connection.setReadTimeout(readTimeout); - connection.setRequestMethod(method); -diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml -index a0b4788..02762a0 100644 --- a/webapps/docs/changelog.xml +++ b/webapps/docs/changelog.xml @@ -188,6 +188,16 @@ @@ -506,8 +467,6 @@ index a0b4788..02762a0 100644 </changelog> </subsection> </section> -diff --git a/webapps/docs/config/context.xml b/webapps/docs/config/context.xml -index 41e66ae..91634f0 100644 --- a/webapps/docs/config/context.xml +++ b/webapps/docs/config/context.xml @@ -367,6 +367,22 @@ diff --git a/debian/patches/CVE-2016-0714.patch b/debian/patches/CVE-2016-0714.patch index cb5434c..f3fd235 100644 --- a/debian/patches/CVE-2016-0714.patch +++ b/debian/patches/CVE-2016-0714.patch @@ -536,14 +536,6 @@ diff --git a/webapps/docs/config/cluster-manager.xml b/webapps/docs/config/clust index 377884a..4958a39 100644 --- a/webapps/docs/config/cluster-manager.xml +++ b/webapps/docs/config/cluster-manager.xml -@@ -97,6 +97,7 @@ - varied by a servlet via the - <code>setMaxInactiveInterval</code> method of the <code>HttpSession</code> object.</p> - </attribute> -+ - <attribute name="sessionIdLength" required="false"> - <p>The length of session ids created by this Manager, measured in bytes, - excluding subsequent conversion to a hexadecimal string and @@ -182,6 +183,30 @@ effective only when <code>sendAllSessions</code> is <code>false</code>. Default is <code>2000</code> milliseconds. -- Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-java/tomcat8.git _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
