Author: pabloduboue-guest
Date: 2009-12-14 09:26:36 +0000 (Mon, 14 Dec 2009)
New Revision: 11288
Removed:
trunk/jetty/debian/patches/01_CVE_2009_3579.patch
trunk/jetty/debian/patches/02_log_exploit.patch
trunk/jetty/debian/patches/03_jsnoop-vul.patch
Log:
Removed old patches subsumed by new upstream version.
Deleted: trunk/jetty/debian/patches/01_CVE_2009_3579.patch
===================================================================
--- trunk/jetty/debian/patches/01_CVE_2009_3579.patch 2009-12-14 09:24:06 UTC
(rev 11287)
+++ trunk/jetty/debian/patches/01_CVE_2009_3579.patch 2009-12-14 09:26:36 UTC
(rev 11288)
@@ -1,41 +0,0 @@
-Description: Fixes CVE-2009-3579.
-Origin: Fedora.
-
-diff -up ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix
./examples/test-webapp/src/main/java/com/acme/CookieDump.java
---- a/examples/test-webapp/src/main/java/com/acme/CookieDump.java
2009-11-03 12:32:01.000000000 -0500
-+++ b/examples/test-webapp/src/main/java/com/acme/CookieDump.java
2009-11-03 12:33:52.000000000 -0500
-@@ -26,6 +26,8 @@ import javax.servlet.http.HttpServletReq
- import javax.servlet.http.HttpServletResponse;
- import javax.servlet.http.HttpSession;
-
-+import org.mortbay.util.StringUtil;
-+
-
- /* ------------------------------------------------------------ */
- /** Test Servlet Cookies.
-@@ -89,7 +91,7 @@ public class CookieDump extends HttpServ
-
- for (int i=0;cookies!=null && i<cookies.length;i++)
- {
--
out.println("<b>"+cookies[i].getName()+"</b>="+cookies[i].getValue()+"<br/>");
-+
out.println("<b>"+deScript(cookies[i].getName())+"</b>="+deScript(cookies[i].getValue())+"<br/>");
- }
-
- out.println("<form action=\""+response.encodeURL(getURI(request))+"\"
method=\"post\">");
-@@ -114,5 +116,15 @@ public class CookieDump extends HttpServ
- uri=request.getRequestURI();
- return uri;
- }
--
-+
-+ /* ------------------------------------------------------------ */
-+ protected String deScript(String string)
-+ {
-+ if (string==null)
-+ return null;
-+ string=StringUtil.replace(string, "&", "&");
-+ string=StringUtil.replace(string, "<", "<");
-+ string=StringUtil.replace(string, ">", ">");
-+ return string;
-+ }
- }
Deleted: trunk/jetty/debian/patches/02_log_exploit.patch
===================================================================
--- trunk/jetty/debian/patches/02_log_exploit.patch 2009-12-14 09:24:06 UTC
(rev 11287)
+++ trunk/jetty/debian/patches/02_log_exploit.patch 2009-12-14 09:26:36 UTC
(rev 11288)
@@ -1,324 +0,0 @@
-Description: Prevents jetty from writing binary characters to log-files.
-Origin: Fedora
-
-diff -up
./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2
./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
---- a/modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
2009-11-03 12:45:36.000000000 -0500
-+++ b/modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
2009-11-03 12:47:35.000000000 -0500
-@@ -91,8 +91,7 @@ public class ErrorHandler extends Abstra
- writer.write("<title>Error ");
- writer.write(Integer.toString(code));
- writer.write(' ');
-- if (message!=null)
-- writer.write(deScript(message));
-+ write(writer,message);
- writer.write("</title>\n");
- }
-
-@@ -117,9 +116,9 @@ public class ErrorHandler extends Abstra
- writer.write("<h2>HTTP ERROR ");
- writer.write(Integer.toString(code));
- writer.write("</h2>\n<p>Problem accessing ");
-- writer.write(deScript(uri));
-+ write(writer,uri);
- writer.write(". Reason:\n<pre> ");
-- writer.write(deScript(message));
-+ write(writer,message);
- writer.write("</pre></p>");
- }
-
-@@ -135,7 +134,7 @@ public class ErrorHandler extends Abstra
- PrintWriter pw = new PrintWriter(sw);
- th.printStackTrace(pw);
- pw.flush();
-- writer.write(deScript(sw.getBuffer().toString()));
-+ write(writer,sw.getBuffer().toString());
- writer.write("</pre>\n");
-
- th =th.getCause();
-@@ -162,13 +161,34 @@ public class ErrorHandler extends Abstra
- }
-
- /* ------------------------------------------------------------ */
-- protected String deScript(String string)
-+ protected void write(Writer writer,String string)
-+ throws IOException
- {
- if (string==null)
-- return null;
-- string=StringUtil.replace(string, "&", "&");
-- string=StringUtil.replace(string, "<", "<");
-- string=StringUtil.replace(string, ">", ">");
-- return string;
-+ return;
-+
-+ for (int i=0;i<string.length();i++)
-+ {
-+ char c=string.charAt(i);
-+
-+ switch(c)
-+ {
-+ case '&' :
-+ writer.write("&");
-+ break;
-+ case '<' :
-+ writer.write("<");
-+ break;
-+ case '>' :
-+ writer.write(">");
-+ break;
-+
-+ default:
-+ if (Character.isISOControl(c) &&
!Character.isWhitespace(c))
-+ writer.write('?');
-+ else
-+ writer.write(c);
-+ }
-+ }
- }
- }
-diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2
./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
---- a/modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
2009-11-03 12:46:07.000000000 -0500
-+++ b/modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
2009-11-03 12:47:35.000000000 -0500
-@@ -465,7 +465,15 @@ public class HttpParser implements Parse
- case
HttpHeaders.CONTENT_LENGTH_ORDINAL:
- if (_contentLength !=
HttpTokens.CHUNKED_CONTENT)
- {
--
_contentLength=BufferUtil.toLong(value);
-+ try
-+ {
-+
_contentLength=BufferUtil.toLong(value);
-+ }
-+ catch(NumberFormatException e)
-+ {
-+ Log.ignore(e);
-+ throw new
HttpException(HttpServletResponse.SC_BAD_REQUEST);
-+ }
- if (_contentLength <= 0)
-
_contentLength=HttpTokens.NO_CONTENT;
- }
-diff -up ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2
./modules/util/src/main/java/org/mortbay/log/StdErrLog.java
---- a/modules/util/src/main/java/org/mortbay/log/StdErrLog.java
2009-11-03 12:47:02.000000000 -0500
-+++ b/modules/util/src/main/java/org/mortbay/log/StdErrLog.java
2009-11-03 12:48:00.000000000 -0500
-@@ -26,8 +26,10 @@ import org.mortbay.util.DateCache;
- public class StdErrLog implements Logger
- {
- private static DateCache _dateCache;
-- private static boolean debug = System.getProperty("DEBUG",null)!=null;
-- private String name;
-+ private static boolean __debug = System.getProperty("DEBUG",null)!=null;
-+ private String _name;
-+
-+ StringBuffer _buffer = new StringBuffer();
-
- static
- {
-@@ -49,44 +51,59 @@ public class StdErrLog implements Logger
-
- public StdErrLog(String name)
- {
-- this.name=name==null?"":name;
-+ this._name=name==null?"":name;
- }
-
- public boolean isDebugEnabled()
- {
-- return debug;
-+ return __debug;
- }
-
- public void setDebugEnabled(boolean enabled)
- {
-- debug=enabled;
-+ __debug=enabled;
- }
-
- public void info(String msg,Object arg0, Object arg1)
- {
- String d=_dateCache.now();
- int ms=_dateCache.lastMs();
--
System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":INFO:
"+format(msg,arg0,arg1));
-+ synchronized(_buffer)
-+ {
-+ tag(d,ms,":INFO:");
-+ format(msg,arg0,arg1);
-+ System.err.println(_buffer.toString());
-+ }
- }
-
- public void debug(String msg,Throwable th)
- {
-- if (debug)
-+ if (__debug)
- {
- String d=_dateCache.now();
- int ms=_dateCache.lastMs();
--
System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+msg);
-- if (th!=null) th.printStackTrace();
-+ synchronized(_buffer)
-+ {
-+ tag(d,ms,":DBUG:");
-+ format(msg);
-+ format(th);
-+ System.err.println(_buffer.toString());
-+ }
- }
- }
-
- public void debug(String msg,Object arg0, Object arg1)
- {
-- if (debug)
-+ if (__debug)
- {
- String d=_dateCache.now();
- int ms=_dateCache.lastMs();
--
System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG:
"+format(msg,arg0,arg1));
-+ synchronized(_buffer)
-+ {
-+ tag(d,ms,":DBUG:");
-+ format(msg,arg0,arg1);
-+ System.err.println(_buffer.toString());
-+ }
- }
- }
-
-@@ -94,42 +111,126 @@ public class StdErrLog implements Logger
- {
- String d=_dateCache.now();
- int ms=_dateCache.lastMs();
--
System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN:
"+format(msg,arg0,arg1));
-+ synchronized(_buffer)
-+ {
-+ tag(d,ms,":WARN:");
-+ format(msg,arg0,arg1);
-+ System.err.println(_buffer.toString());
-+ }
- }
-
- public void warn(String msg, Throwable th)
- {
- String d=_dateCache.now();
- int ms=_dateCache.lastMs();
--
System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN: "+msg);
-- if (th!=null)
-- th.printStackTrace();
-+ synchronized(_buffer)
-+ {
-+ tag(d,ms,":WARN:");
-+ format(msg);
-+ format(th);
-+ System.err.println(_buffer.toString());
-+ }
- }
--
-- private String format(String msg, Object arg0, Object arg1)
-+
-+ private void tag(String d,int ms,String tag)
-+ {
-+ _buffer.setLength(0);
-+ _buffer.append(d);
-+ if (ms>99)
-+ _buffer.append('.');
-+ else if (ms>9)
-+ _buffer.append(".0");
-+ else
-+ _buffer.append(".00");
-+ _buffer.append(ms).append(tag).append(_name).append(':');
-+ }
-+
-+ private void format(String msg, Object arg0, Object arg1)
- {
- int i0=msg.indexOf("{}");
- int i1=i0<0?-1:msg.indexOf("{}",i0+2);
-
-- if (arg1!=null && i1>=0)
-- msg=msg.substring(0,i1)+arg1+msg.substring(i1+2);
-- if (arg0!=null && i0>=0)
-- msg=msg.substring(0,i0)+arg0+msg.substring(i0+2);
-- return msg;
-+ if (i0>=0)
-+ {
-+ format(msg.substring(0,i0));
-+ format(String.valueOf(arg0));
-+
-+ if (i1>=0)
-+ {
-+ format(msg.substring(i0+2,i1));
-+ format(String.valueOf(arg1));
-+ format(msg.substring(i1+2));
-+ }
-+ else
-+ {
-+ format(msg.substring(i0+2));
-+ if (arg1!=null)
-+ {
-+ _buffer.append(' ');
-+ format(String.valueOf(arg1));
-+ }
-+ }
-+ }
-+ else
-+ {
-+ format(msg);
-+ if (arg0!=null)
-+ {
-+ _buffer.append(' ');
-+ format(String.valueOf(arg0));
-+ }
-+ if (arg1!=null)
-+ {
-+ _buffer.append(' ');
-+ format(String.valueOf(arg1));
-+ }
-+ }
-+ }
-+
-+ private void format(String msg)
-+ {
-+ for (int i=0;i<msg.length();i++)
-+ {
-+ char c=msg.charAt(i);
-+ if (Character.isISOControl(c))
-+ {
-+ if (c=='\n')
-+ _buffer.append('|');
-+ else if (c=='\r')
-+ _buffer.append('<');
-+ else
-+ _buffer.append('?');
-+ }
-+ else
-+ _buffer.append(c);
-+ }
-+ }
-+
-+ private void format(Throwable th)
-+ {
-+ _buffer.append('\n');
-+ format(th.toString());
-+ StackTraceElement[] elements = th.getStackTrace();
-+ for (int i=0;elements!=null && i<elements.length;i++)
-+ {
-+ _buffer.append("\n\tat ");
-+ format(elements[i].toString());
-+ }
- }
-
- public Logger getLogger(String name)
- {
-- if ((name==null && this.name==null) ||
-- (name!=null && name.equals(this.name)))
-+ if ((name==null && this._name==null) ||
-+ (name!=null && name.equals(this._name)))
- return this;
- return new StdErrLog(name);
- }
-
- public String toString()
- {
-- return "STDERR"+name;
-+ return "STDERR"+_name;
- }
-+
-
- }
-
Deleted: trunk/jetty/debian/patches/03_jsnoop-vul.patch
===================================================================
--- trunk/jetty/debian/patches/03_jsnoop-vul.patch 2009-12-14 09:24:06 UTC
(rev 11287)
+++ trunk/jetty/debian/patches/03_jsnoop-vul.patch 2009-12-14 09:26:36 UTC
(rev 11288)
@@ -1,18 +0,0 @@
-Description: Prevents javascript injection.
-
---- a/examples/test-webapp/src/main/webapp/snoop.jsp 2009-11-27
23:59:43.417283321 +0100
-+++ a/examples/test-webapp/src/main/webapp/snoop.jsp 2009-11-28
00:00:19.801283807 +0100
-@@ -32,11 +32,11 @@
- </TR>
- <TR>
- <TH align=right>Path info:</TH>
-- <TD><%= request.getPathInfo() %></TD>
-+ <TD><%= request.getPathInfo().replaceAll("<",
"<").replaceAll(">",">") %></TD>
- </TR>
- <TR>
- <TH align=right>Path translated:</TH>
-- <TD><%= request.getPathTranslated() %></TD>
-+ <TD><%= request.getPathTranslated().replaceAll("<",
"<").replaceAll(">",">") %></TD>
- </TR>
- <TR>
- <TH align=right>Query string:</TH>
_______________________________________________
pkg-java-commits mailing list
pkg-java-comm...@lists.alioth.debian.org
http://lists.alioth.debian.org/mailman/listinfo/pkg-java-commits
