(tomcat) branch 8.5.x updated: Fix unintended escaping of XML in some WebDAV responses

Wed, 29 Nov 2023 09:41:22 -0800 

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new d98cd9e5de Fix unintended escaping of XML in some WebDAV responses
d98cd9e5de is described below

commit d98cd9e5dec1bd8ba9f027f5909d8b207a4e3522
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Wed Nov 29 17:04:19 2023 +0000

    Fix unintended escaping of XML in some WebDAV responses
    
    The XML list of support locks when provided in response to a PROPFIND
    request was incorrectly XML escaped
---
 java/org/apache/catalina/servlets/WebdavServlet.java |  4 ++--
 java/org/apache/catalina/util/XMLWriter.java         | 10 ++++++++++
 webapps/docs/changelog.xml                           |  5 +++++
 3 files changed, 17 insertions(+), 2 deletions(-)

diff --git a/java/org/apache/catalina/servlets/WebdavServlet.java 
b/java/org/apache/catalina/servlets/WebdavServlet.java
index 55faf853a2..e10b85bc99 100644
--- a/java/org/apache/catalina/servlets/WebdavServlet.java
+++ b/java/org/apache/catalina/servlets/WebdavServlet.java
@@ -1960,7 +1960,7 @@ public class WebdavServlet extends DefaultServlet {
                         "<D:lockscope><D:shared/></D:lockscope>" + 
"<D:locktype><D:write/></D:locktype>" +
                         "</D:lockentry>";
                 generatedXML.writeElement("D", "supportedlock", 
XMLWriter.OPENING);
-                generatedXML.writeText(supportedLocks);
+                generatedXML.writeRaw(supportedLocks);
                 generatedXML.writeElement("D", "supportedlock", 
XMLWriter.CLOSING);
 
                 generateLockDiscovery(path, generatedXML);
@@ -2068,7 +2068,7 @@ public class WebdavServlet extends DefaultServlet {
                                 "<D:lockscope><D:shared/></D:lockscope>" + 
"<D:locktype><D:write/></D:locktype>" +
                                 "</D:lockentry>";
                         generatedXML.writeElement("D", "supportedlock", 
XMLWriter.OPENING);
-                        generatedXML.writeText(supportedLocks);
+                        generatedXML.writeRaw(supportedLocks);
                         generatedXML.writeElement("D", "supportedlock", 
XMLWriter.CLOSING);
                     } else if (property.equals("lockdiscovery")) {
                         if (!generateLockDiscovery(path, generatedXML)) {
diff --git a/java/org/apache/catalina/util/XMLWriter.java 
b/java/org/apache/catalina/util/XMLWriter.java
index 8290b73943..143c305f34 100644
--- a/java/org/apache/catalina/util/XMLWriter.java
+++ b/java/org/apache/catalina/util/XMLWriter.java
@@ -205,6 +205,16 @@ public class XMLWriter {
     }
 
 
+    /**
+     * Write raw XML data.
+     *
+     * @param raw Raw XML to append
+     */
+    public void writeRaw(String raw) {
+        buffer.append(raw);
+    }
+
+
     /**
      * Write data.
      *
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 1fc5a0ec38..321d018ccf 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,11 @@
         Background processes should not be run concurrently with lifecycle
         oprations of a container. (remm)
       </fix>
+      <fix>
+        Correct unintended escaping of XML in some WebDAV responses. The XML
+        list of support locks when provided in response to a PROPFIND request
+        was incorrectly XML escaped. (markt)
+      </fix>
     </changelog>
   </subsection>
   <subsection name="Jasper">


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to