Author: ozeigermann
Date: Thu Nov 1 05:27:06 2007
New Revision: 590978
URL: http://svn.apache.org/viewvc?rev=590978&view=rev
Log:
Quick-fix for security issue raised here
www.milw0rm.com/exploits/4567
Modified:
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
Modified:
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
URL:
http://svn.apache.org/viewvc/jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java?rev=590978&r1=590977&r2=590978&view=diff
==============================================================================
---
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
(original)
+++
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
Thu Nov 1 05:27:06 2007
@@ -60,6 +60,7 @@
import org.apache.slide.webdav.util.WebdavStatus;
import org.jdom.Element;
import org.jdom.JDOMException;
+import org.jdom.output.Format;
import org.jdom.output.XMLOutputter;
/**
@@ -293,6 +294,10 @@
*/
private void parseOwner(Element ownerElement) throws JDOMException {
+ lockInfo_lockOwner = DEFAULT_LOCK_OWNER;
+
+ // ozeigermann, 1. November 2007: Had to disable this part due
to an exploit caused by JDOM (as it seems): http://www.milw0rm.com/exploits/4567
+ /*
if (ownerElement == null) {
lockInfo_lockOwner = DEFAULT_LOCK_OWNER;
return;
@@ -301,6 +306,7 @@
StringWriter stringWriter = new StringWriter();
XMLOutputter xmlOutputter = new XMLOutputter();
+
try {
xmlOutputter.outputElementContent(ownerElement,
stringWriter);
} catch (IOException e) {
@@ -315,6 +321,7 @@
//throw new JDOMException("<"+E_OWNER+"> element must
not be
// empty");
}
+ */
}
/**
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
