You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2008/01/06 13:00:32 UTC
svn commit: r609297 - in /tomcat:
container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
current/tc5.5.x/STATUS.txt
Author: markt
Date: Sun Jan 6 04:00:31 2008
New Revision: 609297
URL: http://svn.apache.org/viewvc?rev=609297&view=rev
Log:
Improve fix for CVE-2007-5461.
Modified:
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
tomcat/current/tc5.5.x/STATUS.txt
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties (original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/LocalStrings.properties Sun Jan 6 04:00:31 2008
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.externalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Modified: tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java
URL: http://svn.apache.org/viewvc/tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java (original)
+++ tomcat/container/tc5.5.x/catalina/src/share/org/apache/catalina/servlets/WebdavServlet.java Sun Jan 6 04:00:31 2008
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -40,6 +41,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -61,6 +63,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -254,6 +257,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2769,7 +2774,26 @@
}
-
+ // --------------------------------------------- WebdavResolver Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String systemId) {
+ context.log(sm.getString("webdavservlet.externalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
Modified: tomcat/current/tc5.5.x/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/current/tc5.5.x/STATUS.txt?rev=609297&r1=609296&r2=609297&view=diff
==============================================================================
--- tomcat/current/tc5.5.x/STATUS.txt (original)
+++ tomcat/current/tc5.5.x/STATUS.txt Sun Jan 6 04:00:31 2008
@@ -25,12 +25,6 @@
PATCHES PROPOSED TO BACKPORT:
[ New proposals should be added at the end of the list ]
-* Improve fix for webdav vulnerability to workaround what looks like a parser
- bug
- http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
- +1: markt, pero, fhanik
- -1:
-
* Fix bug in CGI servlet that causes it to fail when included
http://svn.apache.org/viewvc?view=rev&revision=595802
+1: markt, fhanik, funkman, pero
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org