Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 251387 Details for
Bug 272566
<=www-servers/tomcat-{5.5.27-r3, 6.0.18-r3}: DoS, Information Disclosure and XSS in example (CVE-2008-5515,CVE-2009-{0033,0580,0781,0783})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch 1 of 2 to fix CVE-2008-5515 in tomcat 5.5.27
27-CVE-2008-5515.1.diff (text/plain), 14.63 KB, created by
Paul B. Henson
on 2010-10-21 02:46:34 UTC
(
hide
)
Description:
Patch 1 of 2 to fix CVE-2008-5515 in tomcat 5.5.27
Filename:
MIME Type:
Creator:
Paul B. Henson
Created:
2010-10-21 02:46:34 UTC
Size:
14.63 KB
patch
obsolete
>Index: container/catalina/src/share/org/apache/naming/resources/FileDirContext.java >=================================================================== >--- container/catalina/src/share/org/apache/naming/resources/FileDirContext.java (revision 782756) >+++ container/catalina/src/share/org/apache/naming/resources/FileDirContext.java (revision 782757) >@@ -37,6 +37,7 @@ > import javax.naming.directory.ModificationItem; > import javax.naming.directory.SearchControls; > >+import org.apache.catalina.util.RequestUtil; > import org.apache.naming.NamingContextBindingsEnumeration; > import org.apache.naming.NamingContextEnumeration; > import org.apache.naming.NamingEntry; >@@ -773,50 +774,10 @@ > */ > protected String normalize(String path) { > >- String normalized = path; >+ return RequestUtil.normalize(path, File.separatorChar == '\\'); > >- // Normalize the slashes and add leading slash if necessary >- if (File.separatorChar == '\\' && normalized.indexOf('\\') >= 0) >- normalized = normalized.replace('\\', '/'); >- if (!normalized.startsWith("/")) >- normalized = "/" + normalized; >- >- // Resolve occurrences of "//" in the normalized path >- while (true) { >- int index = normalized.indexOf("//"); >- if (index < 0) >- break; >- normalized = normalized.substring(0, index) + >- normalized.substring(index + 1); > } > >- // Resolve occurrences of "/./" in the normalized path >- while (true) { >- int index = normalized.indexOf("/./"); >- if (index < 0) >- break; >- normalized = normalized.substring(0, index) + >- normalized.substring(index + 2); >- } >- >- // Resolve occurrences of "/../" in the normalized path >- while (true) { >- int index = normalized.indexOf("/../"); >- if (index < 0) >- break; >- if (index == 0) >- return (null); // Trying to go outside our context >- int index2 = normalized.lastIndexOf('/', index - 1); >- normalized = normalized.substring(0, index2) + >- normalized.substring(index + 3); >- } >- >- // Return the normalized path that we have completed >- return (normalized); >- >- } >- >- > /** > * Return a File object representing the specified normalized > * context-relative path if it exists and is readable. Otherwise, >Index: container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/core/ApplicationHttpRequest.java (revision 782757) >@@ -318,10 +318,9 @@ > int pos = requestPath.lastIndexOf('/'); > String relative = null; > if (pos >= 0) { >- relative = RequestUtil.normalize >- (requestPath.substring(0, pos + 1) + path); >+ relative = requestPath.substring(0, pos + 1) + path; > } else { >- relative = RequestUtil.normalize(requestPath + path); >+ relative = requestPath + path; > } > > return (context.getServletContext().getRequestDispatcher(relative)); >Index: container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/core/ApplicationContext.java (revision 782757) >@@ -43,6 +43,7 @@ > import org.apache.catalina.Wrapper; > import org.apache.catalina.deploy.ApplicationParameter; > import org.apache.catalina.util.Enumerator; >+import org.apache.catalina.util.RequestUtil; > import org.apache.catalina.util.ResourceSet; > import org.apache.catalina.util.ServerInfo; > import org.apache.catalina.util.StringManager; >@@ -388,7 +389,7 @@ > path = path.substring(0, pos); > } > >- path = normalize(path); >+ path = RequestUtil.normalize(path); > if (path == null) > return (null); > >@@ -475,7 +476,7 @@ > throw new MalformedURLException(sm.getString("applicationContext.requestDispatcher.iae", path)); > } > >- path = normalize(path); >+ path = RequestUtil.normalize(path); > if (path == null) > return (null); > >@@ -524,10 +525,13 @@ > */ > public InputStream getResourceAsStream(String path) { > >- path = normalize(path); > if (path == null || !path.startsWith("/")) > return (null); > >+ path = RequestUtil.normalize(path); >+ if (path == null) >+ return null; >+ > DirContext resources = context.getResources(); > if (resources != null) { > try { >@@ -560,7 +564,7 @@ > (sm.getString("applicationContext.resourcePaths.iae", path)); > } > >- path = normalize(path); >+ path = RequestUtil.normalize(path); > if (path == null) > return (null); > >@@ -870,45 +874,6 @@ > > > /** >- * Return a context-relative path, beginning with a "/", that represents >- * the canonical version of the specified path after ".." and "." elements >- * are resolved out. If the specified path attempts to go outside the >- * boundaries of the current context (i.e. too many ".." path elements >- * are present), return <code>null</code> instead. >- * >- * @param path Path to be normalized >- */ >- private String normalize(String path) { >- >- if (path == null) { >- return null; >- } >- >- String normalized = path; >- >- // Normalize the slashes >- if (normalized.indexOf('\\') >= 0) >- normalized = normalized.replace('\\', '/'); >- >- // Resolve occurrences of "/../" in the normalized path >- while (true) { >- int index = normalized.indexOf("/../"); >- if (index < 0) >- break; >- if (index == 0) >- return (null); // Trying to go outside our context >- int index2 = normalized.lastIndexOf('/', index - 1); >- normalized = normalized.substring(0, index2) + >- normalized.substring(index + 3); >- } >- >- // Return the normalized path that we have completed >- return (normalized); >- >- } >- >- >- /** > * Merge the context initialization parameters specified in the application > * deployment descriptor with the application parameters described in the > * server configuration, respecting the <code>override</code> property of >Index: container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (revision 782757) >@@ -1369,76 +1369,6 @@ > resp.setStatus(WebdavStatus.SC_NO_CONTENT); > } > >- /** >- * Return a context-relative path, beginning with a "/", that represents >- * the canonical version of the specified path after ".." and "." elements >- * are resolved out. If the specified path attempts to go outside the >- * boundaries of the current context (i.e. too many ".." path elements >- * are present), return <code>null</code> instead. >- * >- * @param path Path to be normalized >- */ >- protected String normalize(String path) { >- if (path == null) { >- return null; >- } >- >- // Create a place for the normalized path >- String normalized = path; >- >- if (normalized.equals("/.")) { >- return "/"; >- } >- >- // Normalize the slashes and add leading slash if necessary >- if (normalized.indexOf('\\') >= 0) { >- normalized = normalized.replace('\\', '/'); >- } >- >- if (!normalized.startsWith("/")) { >- normalized = "/" + normalized; >- } >- >- // Resolve occurrences of "//" in the normalized path >- while (true) { >- int index = normalized.indexOf("//"); >- if (index < 0) { >- break; >- } >- normalized = normalized.substring(0, index) + >- normalized.substring(index + 1); >- } >- >- // Resolve occurrences of "/./" in the normalized path >- while (true) { >- int index = normalized.indexOf("/./"); >- if (index < 0) { >- break; >- } >- normalized = normalized.substring(0, index) + >- normalized.substring(index + 2); >- } >- >- // Resolve occurrences of "/../" in the normalized path >- while (true) { >- int index = normalized.indexOf("/../"); >- if (index < 0) { >- break; >- } >- if (index == 0) { >- return (null); // Trying to go outside our context >- } >- >- int index2 = normalized.lastIndexOf('/', index - 1); >- normalized = normalized.substring(0, index2) + >- normalized.substring(index + 3); >- } >- >- // Return the normalized path that we have completed >- return (normalized); >- } >- >- > // -------------------------------------------------------- Private Methods > > /** >@@ -1589,7 +1519,7 @@ > } > > // Normalise destination path (remove '.' and '..') >- destinationPath = normalize(destinationPath); >+ destinationPath = RequestUtil.normalize(destinationPath); > > String contextPath = req.getContextPath(); > if ((contextPath != null) && >@@ -2347,7 +2277,8 @@ > if (!toAppend.startsWith("/")) > toAppend = "/" + toAppend; > >- generatedXML.writeText(rewriteUrl(normalize(absoluteUri + toAppend))); >+ generatedXML.writeText(rewriteUrl(RequestUtil.normalize( >+ absoluteUri + toAppend))); > > generatedXML.writeElement(null, "href", XMLWriter.CLOSING); > >Index: container/catalina/src/share/org/apache/catalina/connector/Request.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/connector/Request.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/connector/Request.java (revision 782757) >@@ -1243,10 +1243,9 @@ > int pos = requestPath.lastIndexOf('/'); > String relative = null; > if (pos >= 0) { >- relative = RequestUtil.normalize >- (requestPath.substring(0, pos + 1) + path); >+ relative = requestPath.substring(0, pos + 1) + path; > } else { >- relative = RequestUtil.normalize(requestPath + path); >+ relative = requestPath + path; > } > > return (context.getServletContext().getRequestDispatcher(relative)); >Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletRequestUtil.java (revision 782757) >@@ -48,7 +48,7 @@ > if ((result == null) || (result.equals(""))) { > result = "/"; > } >- return normalize(result); >+ return RequestUtil.normalize(result); > } > > >@@ -64,15 +64,9 @@ > * > * @param path > * Path to be normalized >+ * @deprecated > */ > public static String normalize(String path) { >- if (path == null) return null; >- String normalized = path; >- //Why doesn't RequestUtil do this?? >- // Normalize the slashes and add leading slash if necessary >- if (normalized.indexOf('\\') >= 0) >- normalized = normalized.replace('\\', '/'); >- normalized = RequestUtil.normalize(path); >- return normalized; >+ return RequestUtil.normalize(path); > } > } >\ No newline at end of file >Index: container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/ssi/SSIServletExternalResolver.java (revision 782757) >@@ -32,6 +32,7 @@ > import javax.servlet.http.HttpServletRequest; > import javax.servlet.http.HttpServletResponse; > import org.apache.catalina.connector.Request; >+import org.apache.catalina.util.RequestUtil; > import org.apache.coyote.Constants; > > /** >@@ -373,7 +374,7 @@ > + pathWithoutContext); > } > String fullPath = prefix + path; >- String retVal = SSIServletRequestUtil.normalize(fullPath); >+ String retVal = RequestUtil.normalize(fullPath); > if (retVal == null) { > throw new IOException("Normalization yielded null on path: " > + fullPath); >@@ -406,7 +407,7 @@ > return new ServletContextAndPath(context, > getAbsolutePath(virtualPath)); > } else { >- String normalized = SSIServletRequestUtil.normalize(virtualPath); >+ String normalized = RequestUtil.normalize(virtualPath); > if (isVirtualWebappRelative) { > return new ServletContextAndPath(context, normalized); > } else { >Index: container/catalina/src/share/org/apache/catalina/util/RequestUtil.java >=================================================================== >--- container/catalina/src/share/org/apache/catalina/util/RequestUtil.java (revision 782756) >+++ container/catalina/src/share/org/apache/catalina/util/RequestUtil.java (revision 782757) >@@ -147,13 +147,29 @@ > * @param path Relative path to be normalized > */ > public static String normalize(String path) { >+ return normalize(path, true); >+ } > >+ /** >+ * Normalize a relative URI path that may have relative values ("/./", >+ * "/../", and so on ) it it. <strong>WARNING</strong> - This method is >+ * useful only for normalizing application-generated paths. It does not >+ * try to perform security checks for malicious input. >+ * >+ * @param path Relative path to be normalized >+ * @param replaceBackSlash Should '\\' be replaced with '/' >+ */ >+ public static String normalize(String path, boolean replaceBackSlash) { >+ > if (path == null) > return null; > > // Create a place for the normalized path > String normalized = path; > >+ if (replaceBackSlash && normalized.indexOf('\\') >= 0) >+ normalized = normalized.replace('\\', '/'); >+ > if (normalized.equals("/.")) > return "/"; >
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=251387">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 272566
: 251387 |
251389
|
251391
|
251393
|
251395
