You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/03/04 00:39:20 UTC
svn commit: r918778 - in /tomcat/tc5.5.x/trunk: ./
connectors/http11/src/java/org/apache/coyote/http11/
connectors/jk/java/org/apache/coyote/ajp/
connectors/jk/java/org/apache/jk/common/ container/webapps/docs/
Author: markt
Date: Wed Mar 3 23:39:19 2010
New Revision: 918778
URL: http://svn.apache.org/viewvc?rev=918778&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48581
Avoid security exception on first access
Modified:
tomcat/tc5.5.x/trunk/STATUS.txt
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Constants.java
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/Constants.java
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/AjpConstants.java
tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/JkInputStream.java
tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
Modified: tomcat/tc5.5.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/STATUS.txt?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/STATUS.txt (original)
+++ tomcat/tc5.5.x/trunk/STATUS.txt Wed Mar 3 23:39:19 2010
@@ -100,12 +100,6 @@
+1: markt, rjung
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48581
- Avoid security exception on first access
- http://people.apache.org/~markt/patches/2010-02-02-bug48581.patch
- +1: markt, kkolinko, rjung
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48179
Improve processing of TLD cache file
https://issues.apache.org/bugzilla/attachment.cgi?id=24918
Modified: tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Constants.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Constants.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/Constants.java Wed Mar 3 23:39:19 2010
@@ -206,4 +206,10 @@
public static final String POST = "POST";
+ /**
+ * Should custom status messages be allowed in headers? Replicated to avoid
+ * an exception on first access if running under a security manager.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER;
}
Modified: tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalAprOutputBuffer.java Wed Mar 3 23:39:19 2010
@@ -430,7 +430,7 @@
// Write message
String message = null;
- if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
+ if (Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
HttpMessages.isSafeInHttpHeader(response.getMessage())) {
message = response.getMessage();
}
Modified: tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/http11/src/java/org/apache/coyote/http11/InternalOutputBuffer.java Wed Mar 3 23:39:19 2010
@@ -449,7 +449,7 @@
// Write message
String message = null;
- if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
+ if (Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
HttpMessages.isSafeInHttpHeader(response.getMessage())) {
message = response.getMessage();
}
Modified: tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/AjpAprProcessor.java Wed Mar 3 23:39:19 2010
@@ -966,7 +966,7 @@
// HTTP header contents
responseHeaderMessage.appendInt(response.getStatus());
String message = null;
- if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
+ if (Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
HttpMessages.isSafeInHttpHeader(response.getMessage())) {
message = response.getMessage();
}
Modified: tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/Constants.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/Constants.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/Constants.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/coyote/ajp/Constants.java Wed Mar 3 23:39:19 2010
@@ -339,5 +339,11 @@
*/
public static final String POST = "POST";
+ /**
+ * Should custom status messages be allowed in headers? Replicated to avoid
+ * an exception on first access if running under a security manager.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER;
}
Modified: tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/AjpConstants.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/AjpConstants.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/AjpConstants.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/AjpConstants.java Wed Mar 3 23:39:19 2010
@@ -195,4 +195,11 @@
*/
public static final int MAX_READ_SIZE = MAX_PACKET_SIZE - H_SIZE - 2;
+ /**
+ * Should custom status messages be allowed in headers? Replicated to avoid
+ * an exception on first access if running under a security manager.
+ */
+ public static final boolean USE_CUSTOM_STATUS_MSG_IN_HEADER =
+ org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER;
+
}
Modified: tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/JkInputStream.java
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/JkInputStream.java?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/JkInputStream.java (original)
+++ tomcat/tc5.5.x/trunk/connectors/jk/java/org/apache/jk/common/JkInputStream.java Wed Mar 3 23:39:19 2010
@@ -280,7 +280,7 @@
outputMsg.appendInt( res.getStatus() );
String message = null;
- if (org.apache.coyote.Constants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
+ if (AjpConstants.USE_CUSTOM_STATUS_MSG_IN_HEADER &&
HttpMessages.isSafeInHttpHeader(res.getMessage())) {
message = res.getMessage();
}
Modified: tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml?rev=918778&r1=918777&r2=918778&view=diff
==============================================================================
--- tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml (original)
+++ tomcat/tc5.5.x/trunk/container/webapps/docs/changelog.xml Wed Mar 3 23:39:19 2010
@@ -187,6 +187,9 @@
listener is not enabled. (markt)
</fix>
<fix>
+ <bug>48581</bug>: Avoid security exception on first access. (markt)
+ </fix>
+ <fix>
CVE-2009-3555. Provide option to disable legacy SSL renegotiation.
(markt/costin)
</fix>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org