Author: markt Date: Sun Jun 23 19:24:21 2013 New Revision: 1495875 URL: http://svn.apache.org/r1495875 Log: Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=55119 Ensure that the build process produces Javadoc that is not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. See https://issues.apache.org/jira/browse/LUCENE-5072
Modified: tomcat/tc7.0.x/trunk/ (props changed) tomcat/tc7.0.x/trunk/build.xml tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Propchange: tomcat/tc7.0.x/trunk/ ------------------------------------------------------------------------------ Merged /tomcat/trunk:r1495197 Modified: tomcat/tc7.0.x/trunk/build.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/build.xml?rev=1495875&r1=1495874&r2=1495875&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/build.xml (original) +++ tomcat/tc7.0.x/trunk/build.xml Sun Jun 23 19:24:21 2013 @@ -1610,6 +1610,8 @@ Apache Tomcat ${version} native binaries <path location="${ant.core.lib}"/> </classpath> </javadoc> + <patch-javadoc dir="${tomcat.dist}/webapps/docs/servletapi" + docencoding="ISO-8859-1"/> <javadoc packagenames="javax.servlet.jsp.*" sourcepath="${tomcat.dist}/src/java" destdir="${tomcat.dist}/webapps/docs/jspapi" @@ -1627,6 +1629,8 @@ Apache Tomcat ${version} native binaries <path location="${ant.core.lib}"/> </classpath> </javadoc> + <patch-javadoc dir="${tomcat.dist}/webapps/docs/jspapi" + docencoding="ISO-8859-1"/> <javadoc packagenames="javax.el.*" sourcepath="${tomcat.dist}/src/java" destdir="${tomcat.dist}/webapps/docs/elapi" @@ -1644,6 +1648,8 @@ Apache Tomcat ${version} native binaries <path location="${ant.core.lib}"/> </classpath> </javadoc> + <patch-javadoc dir="${tomcat.dist}/webapps/docs/elapi" + docencoding="ISO-8859-1"/> <javadoc packagenames="org.apache.*" destdir="${tomcat.dist}/webapps/docs/api" version="true" @@ -1671,8 +1677,78 @@ Apache Tomcat ${version} native binaries <path location="${tomcat.dist}/src/modules/jdbc-pool/src/main/java"/> </sourcepath> </javadoc> + <patch-javadoc dir="${tomcat.dist}/webapps/docs/api" + docencoding="ISO-8859-1"/> </target> + <!-- + Patch frame injection bugs in javadoc generated files - see CVE-2013-1571, + http://www.kb.cert.org/vuls/id/225657 + + This macro works together with the javadoc task on Ant and should be invoked + directly after its execution to patch broken javadocs, e.g.: + <patch-javadoc dir="..." docencoding="UTF-8"/> + Please make sure that the docencoding parameter uses the same charset as + javadoc's docencoding. Default is the platform default encoding (like the + javadoc task). + The specified dir is the destination directory of the javadoc task. + --> + <macrodef name="patch-javadoc"> + <attribute name="dir"/> + <attribute name="docencoding" default="${file.encoding}"/> + <sequential> + <replace encoding="@{docencoding}" summary="true" taskname="patch-javadoc"> + <restrict> + <fileset dir="@{dir}" casesensitive="false" + includes="**/index.html,**/index.htm,**/toc.html,**/toc.htm"/> + <!-- TODO: add encoding="@{docencoding}" to contains check, when we + are on ANT 1.9.0: --> + <not> + <contains text="function validURL(url) {" casesensitive="true" /> + </not> + </restrict> + <replacetoken><![CDATA[function loadFrames() {]]></replacetoken> + <replacevalue expandProperties="false"><![CDATA[if (targetPage != "" && !validURL(targetPage)) + targetPage = "undefined"; + function validURL(url) { + var pos = url.indexOf(".html"); + if (pos == -1 || pos != url.length - 5) + return false; + var allowNumber = false; + var allowSep = false; + var seenDot = false; + for (var i = 0; i < url.length - 5; i++) { + var ch = url.charAt(i); + if ('a' <= ch && ch <= 'z' || + 'A' <= ch && ch <= 'Z' || + ch == '$' || + ch == '_') { + allowNumber = true; + allowSep = true; + } else if ('0' <= ch && ch <= '9' + || ch == '-') { + if (!allowNumber) + return false; + } else if (ch == '/' || ch == '.') { + if (!allowSep) + return false; + allowNumber = false; + allowSep = false; + if (ch == '.') + seenDot = true; + if (ch == '/' && seenDot) + return false; + } else { + return false; + } + } + return true; + } + function loadFrames() {]]></replacevalue> + </replace> + </sequential> + </macrodef> + <target name="dist-deployer" depends="dist-prepare,deploy" description="Create the Tomcat deployer binary"> Modified: tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml URL: http://svn.apache.org/viewvc/tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml?rev=1495875&r1=1495874&r2=1495875&view=diff ============================================================================== --- tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml (original) +++ tomcat/tc7.0.x/trunk/webapps/docs/changelog.xml Sun Jun 23 19:24:21 2013 @@ -129,6 +129,11 @@ 1.3 core library as its classes are no longer included in junit.jar. (kkolinko) </update> + <fix> + <bug>55119</bug>: Ensure that the build process produces Javadoc that is + not vulnerable to CVE-2013-1571. Based on a patch by Uwe Schindler. + (markt) + </fix> </changelog> </subsection> </section> --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org