You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2007/10/22 15:19:06 UTC
svn commit: r587082 - in /tomcat/tc6.0.x/trunk: STATUS
java/org/apache/catalina/servlets/LocalStrings.properties
java/org/apache/catalina/servlets/WebdavServlet.java
webapps/docs/changelog.xml
Author: markt
Date: Mon Oct 22 06:19:05 2007
New Revision: 587082
URL: http://svn.apache.org/viewvc?rev=587082&view=rev
Log:
Improve patch for WebDAV issue.
Modified:
tomcat/tc6.0.x/trunk/STATUS
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties
tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
Modified: tomcat/tc6.0.x/trunk/STATUS
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS (original)
+++ tomcat/tc6.0.x/trunk/STATUS Mon Oct 22 06:19:05 2007
@@ -37,12 +37,6 @@
+1: fhanik
-1:
-* Improve fix for webdav vulnerability to workaround what looks like a parser
- bug
- http://people.apache.org/~markt/patches/2007-10-20-webdav.patch
- +1: markt,fhanik, remm
- -1:
-
* Fix possible DoS condition for the experimental NIO/AJP module (reported by William Leung via email)
http://issues.apache.org/bugzilla/show_bug.cgi?id=43621
+1: billbarker,fhanik
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/LocalStrings.properties Mon Oct 22 06:19:05 2007
@@ -25,6 +25,7 @@
invokerServlet.notNamed=Cannot call invoker servlet with a named dispatcher
invokerServlet.noWrapper=Container has not called setWrapper() for this servlet
webdavservlet.jaxpfailed=JAXP initialization failed
+webdavservlet.enternalEntityIgnored=The request included a reference to an external entity with PublicID {0} and SystemID {1} which was ignored
directory.filename=Filename
directory.lastModified=Last Modified
directory.parent=Up To {0}
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/servlets/WebdavServlet.java Mon Oct 22 06:19:05 2007
@@ -20,6 +20,7 @@
import java.io.IOException;
+import java.io.StringReader;
import java.io.StringWriter;
import java.io.Writer;
import java.security.MessageDigest;
@@ -36,6 +37,7 @@
import javax.naming.NamingEnumeration;
import javax.naming.NamingException;
import javax.naming.directory.DirContext;
+import javax.servlet.ServletContext;
import javax.servlet.ServletException;
import javax.servlet.UnavailableException;
import javax.servlet.http.HttpServletRequest;
@@ -57,6 +59,7 @@
import org.w3c.dom.Element;
import org.w3c.dom.Node;
import org.w3c.dom.NodeList;
+import org.xml.sax.EntityResolver;
import org.xml.sax.InputSource;
import org.xml.sax.SAXException;
@@ -245,6 +248,8 @@
documentBuilderFactory.setNamespaceAware(true);
documentBuilderFactory.setExpandEntityReferences(false);
documentBuilder = documentBuilderFactory.newDocumentBuilder();
+ documentBuilder.setEntityResolver(
+ new WebdavResolver(this.getServletContext()));
} catch(ParserConfigurationException e) {
throw new ServletException
(sm.getString("webdavservlet.jaxpfailed"));
@@ -2779,6 +2784,26 @@
}
+ // --------------------------------------------- WebdavResolver Inner Class
+ /**
+ * Work around for XML parsers that don't fully respect
+ * {@link DocumentBuilderFactory#setExpandEntityReferences(false)}. External
+ * references are filtered out for security reasons. See CVE-2007-5461.
+ */
+ private class WebdavResolver implements EntityResolver {
+ private ServletContext context;
+
+ public WebdavResolver(ServletContext theContext) {
+ context = theContext;
+ }
+
+ public InputSource resolveEntity (String publicId, String systemId) {
+ context.log(sm.getString("webdavservlet.enternalEntityIgnored",
+ publicId, systemId));
+ return new InputSource(
+ new StringReader("Ignored external entity"));
+ }
+ }
};
@@ -3100,4 +3125,5 @@
}
};
+
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=587082&r1=587081&r2=587082&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Mon Oct 22 06:19:05 2007
@@ -172,7 +172,7 @@
</fix>
<fix>
Fix CVE-2007-5461, an important information disclosure vulnerability in
- the WebDAV Servlet. (markt)
+ the WebDAV Servlet. Based on a patch by Marc Schoenefeld. (markt)
</fix>
<fix>
<bug>42979</bug>: Update sample.war to include recent security fixes
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org