You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/10/22 15:19:06 UTC

svn commit: r587082 - in /tomcat/tc6.0.x/trunk: STATUS java/org/apache/catalina/servlets/LocalStrings.properties java/org/apache/catalina/servlets/WebdavServlet.java webapps/docs/changelog.xml

Author: markt
Date: Mon Oct 22 06:19:05 2007
New Revision: 587082

URL: http://svn.apache.org/viewvc?rev=587082&view=rev
Log:
Improve patch for WebDAV issue.

Modified:
    tomcat/tc6.0.x/trunk/STATUS
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties
    tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
    tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml

Modified: tomcat/tc6.0.x/trunk/STATUS
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Mon Oct 22 06:19:05 2007
@@ -37,12 +37,6 @@
   +1: fhanik
   -1: 
 
-* Improve fix for webdav vulnerability to workaround what looks like a parser
-  bug
-  http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
-  +1: markt,fhanik, remm
-  -1:
-
 * Fix possible DoS condition for the experimental NIO/AJP module (reported by William Leung via email)
   http://issues.apache.org/bugzilla/show_bug.cgi?id=43621
   +1: billbarker,fhanik

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties Mon Oct 22 06:19:05 2007
@@ -25,6 +25,7 @@
 invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
 invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
 webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
 directory.filename=Filename
 directory.lastModified=Last Modified
 directory.parent=Up To {0}

Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java Mon Oct 22 06:19:05 2007
@@ -20,6 +20,7 @@
 
 
 import java.io.IOException;
+import java.io.StringReader;
 import java.io.StringWriter;
 import java.io.Writer;
 import java.security.MessageDigest;
@@ -36,6 +37,7 @@
 import javax.naming.NamingEnumeration;
 import javax.naming.NamingException;
 import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
 import javax.servlet.ServletException;
 import javax.servlet.UnavailableException;
 import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
 import org.w3c.dom.Element;
 import org.w3c.dom.Node;
 import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
 import org.xml.sax.InputSource;
 import org.xml.sax.SAXException;
 
@@ -245,6 +248,8 @@
             documentBuilderFactory.setNamespaceAware(true);
             documentBuilderFactory.setExpandEntityReferences(false);
             documentBuilder = documentBuilderFactory.newDocumentBuilder();
+            documentBuilder.setEntityResolver(
+                    new WebdavResolver(this.getServletContext()));
         } catch(ParserConfigurationException e) {
             throw new ServletException
                 (sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
     }
 
 
+    // --------------------------------------------- WebdavResolver Inner Class
+    /**
+     * Work around for XML parsers that don't fully respect
+     * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+     * references are filtered out for security reasons. See CVE-2007-5461.
+     */
+    private class WebdavResolver implements EntityResolver {
+        private ServletContext context;
+        
+        public WebdavResolver(ServletContext theContext) {
+            context = theContext;
+        }
+     
+        public InputSource resolveEntity (String publicId, String systemId) {
+            context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+                    publicId, systemId));
+            return new InputSource(
+                    new StringReader("Ignored external entity"));
+        }
+    }
 };
 
 
@@ -3100,4 +3125,5 @@
     }
 
 };
+
 

Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Oct 22 06:19:05 2007
@@ -172,7 +172,7 @@
       </fix>
       <fix>
         Fix CVE-2007-5461, an important information disclosure vulnerability in
-        the WebDAV Servlet. (markt)
+        the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt)
       </fix>
       <fix>
         <bug>42979</bug>: Update sample.war to include recent security fixes



---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org