Markus Koschany pushed to branch stretch at Debian Java Maintainers / jetty9
Commits: 3e2ed9be by Markus Koschany at 2022-07-20T15:47:29+02:00 Add CVE-2022-2047.patch - - - - - 2 changed files: - + debian/patches/CVE-2022-2047.patch - debian/patches/series Changes: ===================================== debian/patches/CVE-2022-2047.patch ===================================== @@ -0,0 +1,48 @@ +From: Markus Koschany <[email protected]> +Date: Mon, 18 Jul 2022 14:05:22 +0200 +Subject: CVE-2022-2047 + +Now always adding a "/" before the path, if not already present. + +Origin: https://github.com/eclipse/jetty.project/pull/8146/commits/878ff231867c5d257eeb2340b739cd84dd233c26 +--- + .../src/main/java/org/eclipse/jetty/client/HttpRequest.java | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java +index 58c9295..c3b099c 100644 +--- a/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java ++++ b/jetty-client/src/main/java/org/eclipse/jetty/client/HttpRequest.java +@@ -174,6 +174,8 @@ public class HttpRequest implements Request + rawPath = path; + if (rawPath == null) + rawPath = ""; ++ if (!rawPath.startsWith("/")) ++ rawPath = "/" + rawPath; + this.path = rawPath; + String query = uri.getRawQuery(); + if (query != null) +@@ -793,16 +795,20 @@ public class HttpRequest implements Request + return result; + } + +- private URI newURI(String uri) ++ private URI newURI(String path) + { + try + { +- return new URI(uri); ++ // Handle specially the "OPTIONS *" case, since it is possible to create a URI from "*" (!). ++ if ("*".equals(path)) ++ return null; ++ URI result = new URI(path); ++ return result.isOpaque() ? null : result; + } + catch (URISyntaxException x) + { + // The "path" of a HTTP request may not be a URI, +- // for example for CONNECT 127.0.0.1:8080 or OPTIONS *. ++ // for example for CONNECT 127.0.0.1:8080. + return null; + } + } ===================================== debian/patches/series ===================================== @@ -6,3 +6,4 @@ ecj-dependency.patch CVE-2020-27216.patch CVE-2021-28169.patch +CVE-2022-2047.patch View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1 -- View it on GitLab: https://salsa.debian.org/java-team/jetty9/-/commit/3e2ed9be3c5d0517851e4c95132da4cfce2a4bb1 You're receiving this email because of your account on salsa.debian.org.
_______________________________________________ pkg-java-commits mailing list [email protected] https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-java-commits
