[pkg-java] r7111 - in branches/tomcat5.5/5.5.26-2-security: connectors/coyote/src/java/org/apache/coyote/tomcat4 debian
marcusb-guest at alioth.debian.org
marcusb-guest at alioth.debian.org
Sat Oct 4 22:53:07 UTC 2008
Author: marcusb-guest
Date: 2008-10-04 22:53:07 +0000 (Sat, 04 Oct 2008)
New Revision: 7111
Modified:
branches/tomcat5.5/5.5.26-2-security/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
branches/tomcat5.5/5.5.26-2-security/debian/changelog
Log:
Apply fix for CVE-2008-2938 from http://svn.apache.org/viewvc?view=rev&revision=681065.
Modified: branches/tomcat5.5/5.5.26-2-security/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java
===================================================================
--- branches/tomcat5.5/5.5.26-2-security/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java 2008-10-04 22:50:07 UTC (rev 7110)
+++ branches/tomcat5.5/5.5.26-2-security/connectors/coyote/src/java/org/apache/coyote/tomcat4/CoyoteAdapter.java 2008-10-04 22:53:07 UTC (rev 7111)
@@ -264,6 +264,13 @@
}
}
+ // Check that the URI is still normalized
+ if (!checkNormalize(req.decodedURI())) {
+ res.setStatus(400);
+ res.setMessage("Invalid URI character encoding");
+ throw new IOException("Invalid URI character encoding");
+ }
+
// Parse cookies
parseCookies(req, request);
@@ -654,6 +661,67 @@
}
+ /**
+ * Check that the URI is normalized following character decoding.
+ * <p>
+ * This method checks for "\", 0, "//", "/./" and "/../". This method will
+ * return false if sequences that are supposed to be normalized are still
+ * present in the URI.
+ *
+ * @param uriMB URI to be checked (should be chars)
+ */
+ public static boolean checkNormalize(MessageBytes uriMB) {
+
+ CharChunk uriCC = uriMB.getCharChunk();
+ char[] c = uriCC.getChars();
+ int start = uriCC.getStart();
+ int end = uriCC.getEnd();
+
+ int pos = 0;
+
+ // Check for '\' and 0
+ for (pos = start; pos < end; pos++) {
+ if (c[pos] == '\\') {
+ return false;
+ }
+ if (c[pos] == 0) {
+ return false;
+ }
+ }
+
+ // Check for "//"
+ for (pos = start; pos < (end - 1); pos++) {
+ if (c[pos] == '/') {
+ if (c[pos + 1] == '/') {
+ return false;
+ }
+ }
+ }
+
+ // Check for ending with "/." or "/.."
+ if (((end - start) >= 2) && (c[end - 1] == '.')) {
+ if ((c[end - 2] == '/')
+ || ((c[end - 2] == '.')
+ && (c[end - 3] == '/'))) {
+ return false;
+ }
+ }
+
+ // Check for "/./"
+ if (uriCC.indexOf("/./", 0, 3, 0) >= 0) {
+ return false;
+ }
+
+ // Check for "/../"
+ if (uriCC.indexOf("/../", 0, 4, 0) >= 0) {
+ return false;
+ }
+
+ return true;
+
+ }
+
+
// ------------------------------------------------------ Protected Methods
Modified: branches/tomcat5.5/5.5.26-2-security/debian/changelog
===================================================================
--- branches/tomcat5.5/5.5.26-2-security/debian/changelog 2008-10-04 22:50:07 UTC (rev 7110)
+++ branches/tomcat5.5/5.5.26-2-security/debian/changelog 2008-10-04 22:53:07 UTC (rev 7111)
@@ -1,8 +1,8 @@
tomcat5.5 (5.5.26-3) unstable; urgency=high
- * Security issues fixed.
+ * Security issues fixed. Closes: #494504
- CVE-2008-1232: XSS vulnerability.
- - CVE-2008-2370: directory traversal vulnerability.
+ - CVE-2008-2370, CVE-2008-2938: directory traversal vulnerabilities.
-- Marcus Better <marcus at better.se> Sun, 05 Oct 2008 00:49:17 +0200
More information about the pkg-java-commits
mailing list