Author: markt
Date: Sun Jun 23 19:24:21 2013
New Revision: 1495875
URL: http://svn.apache.org/r1495875
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55119
Ensure that the build process produces Javadoc that is not vulnerable to
CVE-2013-1571.
Based on a patch by Uwe Schindler.
See https://issues.apache.org/jira/browse/LUCENE-5072
Modified:
tomcat/tc7.0.x/trunk/ (props changed)
tomcat/tc7.0.x/trunk/build.xml
tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
Propchange: tomcat/tc7.0.x/trunk/
------------------------------------------------------------------------------
Merged /tomcat/trunk:r1495197
Modified: tomcat/tc7.0.x/trunk/build.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/build.xml?rev=1495875&r1=1495874&r2=1495875&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/build.xml (original)
+++ tomcat/tc7.0.x/trunk/build.xml Sun Jun 23 19:24:21 2013
@@ -1610,6 +1610,8 @@ Apache Tomcat ${version} native binaries
<path location="${ant.core.lib}"/>
</classpath>
</javadoc>
+ <patch-javadoc dir="${tomcat.dist}/webapps/docs/servletapi"
+ docencoding="ISO-8859-1"/>
<javadoc packagenames="javax.servlet.jsp.*"
sourcepath="${tomcat.dist}/src/java"
destdir="${tomcat.dist}/webapps/docs/jspapi"
@@ -1627,6 +1629,8 @@ Apache Tomcat ${version} native binaries
<path location="${ant.core.lib}"/>
</classpath>
</javadoc>
+ <patch-javadoc dir="${tomcat.dist}/webapps/docs/jspapi"
+ docencoding="ISO-8859-1"/>
<javadoc packagenames="javax.el.*"
sourcepath="${tomcat.dist}/src/java"
destdir="${tomcat.dist}/webapps/docs/elapi"
@@ -1644,6 +1648,8 @@ Apache Tomcat ${version} native binaries
<path location="${ant.core.lib}"/>
</classpath>
</javadoc>
+ <patch-javadoc dir="${tomcat.dist}/webapps/docs/elapi"
+ docencoding="ISO-8859-1"/>
<javadoc packagenames="org.apache.*"
destdir="${tomcat.dist}/webapps/docs/api"
version="true"
@@ -1671,8 +1677,78 @@ Apache Tomcat ${version} native binaries
<path location="${tomcat.dist}/src/modules/jdbc-pool/src/main/java"/>
</sourcepath>
</javadoc>
+ <patch-javadoc dir="${tomcat.dist}/webapps/docs/api"
+ docencoding="ISO-8859-1"/>
</target>
+ <!--
+ Patch frame injection bugs in javadoc generated files - see CVE-2013-1571,
+ http://www.kb.cert.org/vuls/id/225657
+
+ This macro works together with the javadoc task on Ant and should be
invoked
+ directly after its execution to patch broken javadocs, e.g.:
+ <patch-javadoc dir="..." docencoding="UTF-8"/>
+ Please make sure that the docencoding parameter uses the same charset as
+ javadoc's docencoding. Default is the platform default encoding (like the
+ javadoc task).
+ The specified dir is the destination directory of the javadoc task.
+ -->
+ <macrodef name="patch-javadoc">
+ <attribute name="dir"/>
+ <attribute name="docencoding" default="${file.encoding}"/>
+ <sequential>
+ <replace encoding="@{docencoding}" summary="true"
taskname="patch-javadoc">
+ <restrict>
+ <fileset dir="@{dir}" casesensitive="false"
+ includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/>
+ <!-- TODO: add encoding="@{docencoding}" to contains check, when we
+ are on ANT 1.9.0: -->
+ <not>
+ <contains text="function validURL(url) {" casesensitive="true"
/>
+ </not>
+ </restrict>
+ <replacetoken><![CDATA[function loadFrames() {]]></replacetoken>
+ <replacevalue expandProperties="false"><![CDATA[if (targetPage != ""
&& !validURL(targetPage))
+ targetPage = "undefined";
+ function validURL(url) {
+ var pos = url.indexOf(".html");
+ if (pos == -1 || pos != url.length - 5)
+ return false;
+ var allowNumber = false;
+ var allowSep = false;
+ var seenDot = false;
+ for (var i = 0; i < url.length - 5; i++) {
+ var ch = url.charAt(i);
+ if ('a' <= ch && ch <= 'z' ||
+ 'A' <= ch && ch <= 'Z' ||
+ ch == '$' ||
+ ch == '_') {
+ allowNumber = true;
+ allowSep = true;
+ } else if ('0' <= ch && ch <= '9'
+ || ch == '-') {
+ if (!allowNumber)
+ return false;
+ } else if (ch == '/' || ch == '.') {
+ if (!allowSep)
+ return false;
+ allowNumber = false;
+ allowSep = false;
+ if (ch == '.')
+ seenDot = true;
+ if (ch == '/' && seenDot)
+ return false;
+ } else {
+ return false;
+ }
+ }
+ return true;
+ }
+ function loadFrames() {]]></replacevalue>
+ </replace>
+ </sequential>
+ </macrodef>
+
<target name="dist-deployer" depends="dist-prepare,deploy"
description="Create the Tomcat deployer binary">
Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml
URL:
http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495875&r1=1495874&r2=1495875&view=diff
==============================================================================
--- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Jun 23 19:24:21 2013
@@ -129,6 +129,11 @@
1.3 core library as its classes are no longer included in junit.jar.
(kkolinko)
</update>
+ <fix>
+ <bug>55119</bug>: Ensure that the build process produces Javadoc that
is
+ not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler.
+ (markt)
+ </fix>
</changelog>
</subsection>
</section>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
