Why Spports Bras Are So Popular And Some Of The Best Choices
inline: Schwisow.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
How Ograsms Can Benefit Your Health
inline: Odums.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#528352: CVE-2008-2025: Cross-site scripting (XSS) vulnerability
Package: libstruts1.2-java
Severity: important
Tags: patch, security
Hi,
the following CVE (Common Vulnerabilities Exposures) id was
published for libstruts1.2-java.
CVE-2008-2025[0]:
| Cross-site scripting (XSS) vulnerability in Apache Struts before
| 1.2.9-162.31.1 on SUSE Linux Enterprise (SLE) 11, before 1.2.9-108.2
| on SUSE openSUSE 10.3, before 1.2.9-198.2 on SUSE openSUSE 11.0, and
| before 1.2.9-162.163.2 on SUSE openSUSE 11.1 allows remote attackers
| to inject arbitrary web script or HTML via unspecified vectors related
| to insufficient quoting of parameters.
The attached patch should be the one that was used by Suse. Please check
and consider uploading. Also, please check the stable/oldstable version.
If you fix the vulnerability please also make sure to include the
CVE id in your changelog entry.
Cheers
Steffen
For further information see:
[0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-2025
http://security-tracker.debian.net/tracker/CVE-2008-2025
diff --git a/src/org/apache/struts/taglib/html/BaseHandlerTag.java b/src/org/apache/struts/taglib/html/BaseHandlerTag.java
index 403ff97..095045c 100644
--- a/src/org/apache/struts/taglib/html/BaseHandlerTag.java
+++ b/src/org/apache/struts/taglib/html/BaseHandlerTag.java
@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils;
import org.apache.struts.taglib.logic.IterateTag;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.RequestUtils;
+import org.apache.struts.util.ResponseUtils;
/**
* Base class for tags that render form elements capable of including JavaScript
@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends BodyTagSupport {
*/
protected void prepareAttribute(StringBuffer handlers, String name, Object value) {
if (value != null) {
+ if (name.indexOf('') = 0)
+ throw new IllegalArgumentException(quote character in attribute name);
handlers.append( );
handlers.append(name);
handlers.append(=\);
-handlers.append(value);
+handlers.append(ResponseUtils.filterIfQuote(value.toString()));
handlers.append(\);
}
}
diff --git a/src/org/apache/struts/taglib/html/BaseTag.java b/src/org/apache/struts/taglib/html/BaseTag.java
index 8c5214b..004ff6a 100644
--- a/src/org/apache/struts/taglib/html/BaseTag.java
+++ b/src/org/apache/struts/taglib/html/BaseTag.java
@@ -30,6 +30,7 @@ import org.apache.struts.Globals;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.RequestUtils;
+import org.apache.struts.util.ResponseUtils;
/**
* Renders an HTML base element with an href
@@ -112,13 +113,14 @@ public class BaseTag extends TagSupport {
String uri) {
StringBuffer tag = new StringBuffer(base href=\);
-tag.append(RequestUtils.createServerUriStringBuffer(scheme,serverName,port,uri).toString());
+tag.append(ResponseUtils.filterIfQuote(
+ RequestUtils.createServerUriStringBuffer(scheme,serverName,port,uri).toString()));
tag.append(\);
if (this.target != null) {
tag.append( target=\);
-tag.append(this.target);
+tag.append(ResponseUtils.filterIfQuote(this.target));
tag.append(\);
}
diff --git a/src/org/apache/struts/taglib/html/FormTag.java b/src/org/apache/struts/taglib/html/FormTag.java
index e8eb9b4..070d090 100644
--- a/src/org/apache/struts/taglib/html/FormTag.java
+++ b/src/org/apache/struts/taglib/html/FormTag.java
@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig;
import org.apache.struts.taglib.TagUtils;
import org.apache.struts.util.MessageResources;
import org.apache.struts.util.RequestUtils;
+import org.apache.struts.util.ResponseUtils;
/**
* Custom tag that represents an input form, associated with a bean whose
@@ -547,10 +548,10 @@ public class FormTag extends TagSupport {
results.append( action=\);
results.append(
-response.encodeURL(
+ResponseUtils.filterIfQuote(response.encodeURL(
TagUtils.getInstance().getActionMappingURL(
this.action,
-this.pageContext)));
+this.pageContext;
results.append(\);
}
@@ -580,7 +581,7 @@ public class FormTag extends TagSupport {
results.append(divinput type=\hidden\ name=\);
results.append(Constants.TOKEN_KEY);
results.append(\ value=\);
-results.append(token);
+results.append(ResponseUtils.filterIfQuote(token));
if (this.isXhtml()) {
results.append(\ /);
} else {
@@ -599,9 +600,10 @@ public class FormTag extends TagSupport {
protected void renderAttribute(StringBuffer
Vos traductions par des professionnels
Besoin de Traduction? MISTERBABEL.COM Le meilleur rapport Réactivité / Qualité / Prix MISTERBABEL.com LE TRADUCTEUR À VOS CÔTÉS Toutes vos traductions professionnelles, emails, sites Internet, courriers, plaquettes, ... Réactivité Traductions professionnelles en ligne 7j/7, 24h/24. Simplicité En ligne, consultable n'importe où, n'importe quand. Pas de devis grâce à carte de traduction prépayée. Qualité Tous nos traducteurs sont des professionnels de la traduction. Ils sont tous signataires de la Charte de Qualité MisterBabel. Profitez de notre offre spéciale : 10€ offerts Pour tout achat d'un Pack au choix Votre code promo: 10EUROS (offre valable pour tout premier achat, valable jusqu'au 31 mai 2009) L'équipe MisterBabel à votre service au 08 92 70 12 42 (0,34 euro la minute) ou cont...@misterbabel.com Si vous ne souhaitez plus recevoir de messages de la part de MisterBabel, http://form.message-business.net/Publish.aspx?xmlFile=25899; ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
You Are Guaranteed $1.7m
National Agency España Dr.Pauly Ulrich Address: Avda .Del Petroleo 222 Polig Madrid Spain. http://www.euromillions.com/ Your Email Was Selected As Winner of $1.7M,for claim Contact Mr.Paul Ulrich Via Tel: Tel:+34 634 162 345 Email: nationaltru...@aim.com (¡) Batch. Nº: EULO/2907/444/908/07.,(v)Ref. Nº: ESM/WIN/008/05/10/MA ,lucky numbers 14-16-23-40-46 Best Regards, Mrs. Emily Simon. ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#523054: Any likely update for mod_jk?
Hi, I wondered if any fix is likely to be available for CVE-2008-5519 (information disclosure, looks potentially quite severe) any time soon or if any more help is needed? Cheers, Dominic. -- Dominic Hargreaves | http://www.larted.org.uk/~dom/ PGP key 5178E2A5 from the.earth.li (keyserver,web,email) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
3 Keys too Becoming a Master Lover
inline: Hooke.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
How To Seduce A Waoman
inline: Repsher.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Bug#528389: CVE-2009-1523: Directory traversal vulnerability in the HTTP server in Mort Bay Jetty
Package: jetty Severity: serious Tags: security Hi, the following CVE (Common Vulnerabilities Exposures) id was published for jetty. CVE-2009-1523[0]: | Directory traversal vulnerability in the HTTP server in Mort Bay Jetty | before 6.1.17, and 7.0.0.M2 and earlier 7.x versions, allows remote | attackers to access arbitrary files via directory traversal sequences | in the URI. If you fix the vulnerability please also make sure to include the CVE id in your changelog entry. For further information see: [0] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1523 http://security-tracker.debian.net/tracker/CVE-2009-1523 ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
libitext-java 2.1.5-1 MIGRATED to testing
FYI: The status of the libitext-java source package in Debian's testing distribution has changed. Previous version: 2.1.4-1 Current version: 2.1.5-1 -- This email is automatically generated once a day. As the installation of new packages into testing happens multiple times a day you will receive later changes on the next day. See http://release.debian.org/testing-watch/ for more information. ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Congratulation
Your e-mail address have just won you EUR1.000.000.00 (One Million Euro Only) contact this office for more detail: Mr.Cliff Branson Tel: 0034-687-413-988 Email: (cliffbran...@luckymail.com ) Once again congratulations. Your email address has brought to you this Unexpected luck. Mrs. Helen Gomez. (Lottery coordinator ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Processed: severity of 525310 is normal, tagging 525310
Processing commands for cont...@bugs.debian.org: severity 525310 normal Bug#525310: pdfsam-console won't start (missing required file) Severity set to `normal' from `grave' tags 525310 + unreproducible Bug#525310: pdfsam-console won't start (missing required file) There were no tags set. Tags added: unreproducible End of message, stopping processing here. Please contact me if you need assistance. Debian bug tracking system administrator (administrator, Debian Bugs database) ___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
Secret of Sensual Lovve Making - The 4 Big Basics
inline: Gabler.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
The Quickie - Where, Hqow and When
inline: Sugden.png___ pkg-java-maintainers mailing list pkg-java-maintainers@lists.alioth.debian.org http://lists.alioth.debian.org/mailman/listinfo/pkg-java-maintainers
