Author: ozeigermann
Date: Thu Nov  1 05:27:06 2007
New Revision: 590978

URL: http://svn.apache.org/viewvc?rev=590978&view=rev
Log:
Quick-fix for security issue raised here

www.milw0rm.com/exploits/4567

Modified:
    
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java

Modified: 
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
URL: 
http://svn.apache.org/viewvc/jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java?rev=590978&r1=590977&r2=590978&view=diff
==============================================================================
--- 
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
 (original)
+++ 
jakarta/slide/branches/SLIDE_2_1_RELEASE_BRANCH/src/webdav/server/org/apache/slide/webdav/method/LockMethod.java
 Thu Nov  1 05:27:06 2007
@@ -60,6 +60,7 @@
 import org.apache.slide.webdav.util.WebdavStatus;
 import org.jdom.Element;
 import org.jdom.JDOMException;
+import org.jdom.output.Format;
 import org.jdom.output.XMLOutputter;
 
 /**
@@ -293,6 +294,10 @@
         */
        private void parseOwner(Element ownerElement) throws JDOMException {
 
+               lockInfo_lockOwner = DEFAULT_LOCK_OWNER;
+
+               // ozeigermann, 1. November 2007: Had to disable this part due 
to an exploit caused by JDOM (as it seems): http://www.milw0rm.com/exploits/4567
+               /*
                if (ownerElement == null) {
                        lockInfo_lockOwner = DEFAULT_LOCK_OWNER;
                        return;
@@ -301,6 +306,7 @@
 
                StringWriter stringWriter = new StringWriter();
                XMLOutputter xmlOutputter = new XMLOutputter();
+
                try {
                        xmlOutputter.outputElementContent(ownerElement, 
stringWriter);
                } catch (IOException e) {
@@ -315,6 +321,7 @@
                        //throw new JDOMException("<"+E_OWNER+"> element must 
not be
                        // empty");
                }
+               */
        }
 
        /**



---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to