Author: ebourg-guest Date: 2014-02-07 12:40:48 +0000 (Fri, 07 Feb 2014) New Revision: 17737
Removed: trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch Modified: trunk/libcommons-fileupload-java/debian/changelog trunk/libcommons-fileupload-java/debian/maven.rules trunk/libcommons-fileupload-java/debian/patches/001_update-tests-for-servlet3-api.patch trunk/libcommons-fileupload-java/debian/patches/series Log: New upstream release (1.3.1) Addresses security issue: CVE-2014-0050 Modified: trunk/libcommons-fileupload-java/debian/changelog =================================================================== --- trunk/libcommons-fileupload-java/debian/changelog 2014-02-04 13:55:52 UTC (rev 17736) +++ trunk/libcommons-fileupload-java/debian/changelog 2014-02-07 12:40:48 UTC (rev 17737) @@ -1,3 +1,11 @@ +libcommons-fileupload-java (1.3.1-1) unstable; urgency=medium + + * New upstream release + - Addresses security issue: CVE-2014-0050 + * Removed 002_CVE-2013-2186.patch (applied upstream) + + -- Emmanuel Bourg <[email protected]> Thu, 06 Feb 2014 22:11:54 +0100 + libcommons-fileupload-java (1.3-3) unstable; urgency=low * Set the project.build.sourceEncoding property to fix a test failure Modified: trunk/libcommons-fileupload-java/debian/maven.rules =================================================================== --- trunk/libcommons-fileupload-java/debian/maven.rules 2014-02-04 13:55:52 UTC (rev 17736) +++ trunk/libcommons-fileupload-java/debian/maven.rules 2014-02-07 12:40:48 UTC (rev 17737) @@ -2,3 +2,4 @@ javax.servlet servlet-api jar s/.*/3.0/ * * junit junit jar s/4\..*/4.x/ * * s/portlet-api/javax.portlet/ portlet-api jar s/.*/2.0/ * * +s/org.apache.portals/javax.portlet/ s/portlet-api_2.0_spec/portlet-api/ jar s/.*/2.0/ * * Modified: trunk/libcommons-fileupload-java/debian/patches/001_update-tests-for-servlet3-api.patch =================================================================== --- trunk/libcommons-fileupload-java/debian/patches/001_update-tests-for-servlet3-api.patch 2014-02-04 13:55:52 UTC (rev 17736) +++ trunk/libcommons-fileupload-java/debian/patches/001_update-tests-for-servlet3-api.patch 2014-02-07 12:40:48 UTC (rev 17737) @@ -1,595 +1,83 @@ Description: Updates the test to compile with the Servlet 3.0 API - and removes the unused portlet mocks that fail to compile Author: Emmanuel Bourg <[email protected]> Forwarded: not-needed --- a/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java +++ b/src/test/java/org/apache/commons/fileupload/MockHttpServletRequest.java @@ -22,15 +22,24 @@ - import java.io.InputStream; - import java.io.UnsupportedEncodingException; - import java.security.Principal; -+import java.util.Collection; - import java.util.Enumeration; - import java.util.Locale; - import java.util.Map; - -+import javax.servlet.AsyncContext; -+import javax.servlet.DispatcherType; - import javax.servlet.RequestDispatcher; -+import javax.servlet.ServletContext; -+import javax.servlet.ServletException; - import javax.servlet.ServletInputStream; -+import javax.servlet.ServletRequest; -+import javax.servlet.ServletResponse; - import javax.servlet.http.Cookie; - import javax.servlet.http.HttpServletRequest; -+import javax.servlet.http.HttpServletResponse; - import javax.servlet.http.HttpSession; -+import javax.servlet.http.Part; - - /** - * @version $Id: MockHttpServletRequest.java 1455729 2013-03-12 22:01:02Z tn $ -@@ -481,6 +490,52 @@ - return null; - } - -+ public boolean authenticate(HttpServletResponse httpServletResponse) throws IOException, ServletException { -+ return false; -+ } -+ -+ public void login(String s, String s2) throws ServletException { -+ } -+ -+ public void logout() throws ServletException { -+ } -+ -+ public Collection<Part> getParts() throws IOException, ServletException { -+ return null; -+ } -+ -+ public Part getPart(String s) throws IOException, ServletException { -+ return null; -+ } -+ -+ public ServletContext getServletContext() { -+ return null; -+ } -+ -+ public AsyncContext startAsync() throws IllegalStateException { -+ return null; -+ } -+ -+ public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) throws IllegalStateException { -+ return null; -+ } -+ -+ public boolean isAsyncStarted() { -+ return false; -+ } -+ -+ public boolean isAsyncSupported() { -+ return false; -+ } -+ -+ public AsyncContext getAsyncContext() { -+ return null; -+ } -+ -+ public DispatcherType getDispatcherType() { -+ return null; -+ } -+ - private static class MyServletInputStream - extends javax.servlet.ServletInputStream { - -@@ -509,7 +564,7 @@ - return in.read(b, off, len); - } - } -- - } - - } -+ ---- a/src/test/java/org/apache/commons/fileupload/MockPortletSession.java -+++ /dev/null -@@ -1,153 +0,0 @@ --/* -- * Licensed to the Apache Software Foundation (ASF) under one or more -- * contributor license agreements. See the NOTICE file distributed with -- * this work for additional information regarding copyright ownership. -- * The ASF licenses this file to You under the Apache License, Version 2.0 -- * (the "License"); you may not use this file except in compliance with -- * the License. You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ --package org.apache.commons.fileupload; -- --import java.util.Enumeration; --import java.util.Hashtable; --import javax.portlet.PortletContext; --import javax.portlet.PortletSession; -- --/** -- * A mock portlet session, useful for unit testing and offline utilities -- * Note: currently doesn't support scoping -- * -- * @version $Id: MockPortletSession.java 1454693 2013-03-09 12:30:27Z simonetripodi $ -- */ --public class MockPortletSession implements PortletSession { -- -- // Hashtable (not HashMap) makes enumerations easier to work with -- Hashtable<String, Object> attributes = new Hashtable<String, Object>(); -- -- public MockPortletSession() { -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getAttribute(java.lang.String) -- */ -- public Object getAttribute(String name) { -- return attributes.get(name); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getAttribute(java.lang.String, int) -- */ -- public Object getAttribute(String name, int scope) { -- return attributes.get(name); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getAttributeNames(int) -- */ -- public Enumeration<String> getAttributeNames(int scope) { -- return attributes.keys(); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getCreationTime() -- */ -- public long getCreationTime() { -- // TODO Auto-generated method stub -- return 0; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getId() -- */ -- public String getId() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getLastAccessedTime() -- */ -- public long getLastAccessedTime() { -- // TODO Auto-generated method stub -- return 0; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getMaxInactiveInterval() -- */ -- public int getMaxInactiveInterval() { -- // TODO Auto-generated method stub -- return 0; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#invalidate() -- */ -- public void invalidate() { -- // TODO Auto-generated method stub -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#isNew() -- */ -- public boolean isNew() { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#removeAttribute(java.lang.String) -- */ -- public void removeAttribute(String name) { -- attributes.remove(name); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#removeAttribute(java.lang.String, int) -- */ -- public void removeAttribute(String name, int scope) { -- attributes.remove(name); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#setAttribute(java.lang.String, java.lang.Object) -- */ -- public void setAttribute(String name, Object value) { -- attributes.put(name, value); -- } -- -- public Enumeration<String> getAttributeNames() { -- return this.getAttributeNames(PortletSession.PORTLET_SCOPE); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#setAttribute(java.lang.String, java.lang.Object, int) -- */ -- public void setAttribute(String name, Object value, int scope) { -- attributes.put(name, value); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#setMaxInactiveInterval(int) -- */ -- public void setMaxInactiveInterval(int interval) { -- // TODO Auto-generated method stub -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletSession#getPortletContext() -- */ -- public PortletContext getPortletContext() { -- // TODO Auto-generated method stub -- return null; -- } -- --} ---- a/src/test/java/org/apache/commons/fileupload/MockPortletRequest.java -+++ /dev/null -@@ -1,343 +0,0 @@ --/* -- * Licensed to the Apache Software Foundation (ASF) under one or more -- * contributor license agreements. See the NOTICE file distributed with -- * this work for additional information regarding copyright ownership. -- * The ASF licenses this file to You under the Apache License, Version 2.0 -- * (the "License"); you may not use this file except in compliance with -- * the License. You may obtain a copy of the License at -- * -- * http://www.apache.org/licenses/LICENSE-2.0 -- * -- * Unless required by applicable law or agreed to in writing, software -- * distributed under the License is distributed on an "AS IS" BASIS, -- * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -- * See the License for the specific language governing permissions and -- * limitations under the License. -- */ --package org.apache.commons.fileupload; -- --import java.security.Principal; --import java.util.Enumeration; --import java.util.Locale; --import java.util.Map; -- --import javax.portlet.PortalContext; --import javax.portlet.PortletMode; --import javax.portlet.PortletPreferences; --import javax.portlet.PortletRequest; --import javax.portlet.PortletSession; --import javax.portlet.WindowState; -- --/** -- * A mock portlet request, useful for unit testing and offline utilities -- * -- * @version $Id: MockPortletRequest.java 1454693 2013-03-09 12:30:27Z simonetripodi $ -- */ --public class MockPortletRequest implements PortletRequest { -- -- MockPortletSession session = null; -- -- public MockPortletRequest() { -- session = new MockPortletSession(); -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletRequest#isWindowStateAllowed(javax.portlet.WindowState) -- */ -- public boolean isWindowStateAllowed(WindowState state) { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* (non-Javadoc) -- * @see javax.portlet.PortletRequest#isPortletModeAllowed(javax.portlet.PortletMode) -- */ -- public boolean isPortletModeAllowed(PortletMode mode) { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPortletMode() -- */ -- public PortletMode getPortletMode() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getWindowState() -- */ -- public WindowState getWindowState() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPreferences() -- */ -- public PortletPreferences getPreferences() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPortletSession() -- */ -- public PortletSession getPortletSession() { -- return session; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPortletSession(boolean) -- */ -- public PortletSession getPortletSession( boolean create ) { -- if ( session == null ) -- { -- session = new MockPortletSession(); -- } -- return session; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getProperty(java.lang.String) -- */ -- public String getProperty( String name ) { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getProperties(java.lang.String) -- */ -- public Enumeration<String> getProperties( String name ) { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPropertyNames() -- */ -- public Enumeration<String> getPropertyNames() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getPortalContext() -- */ -- public PortalContext getPortalContext() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getAuthType() -- */ -- public String getAuthType() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getContextPath() -- */ -- public String getContextPath() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getRemoteUser() -- */ -- public String getRemoteUser() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getUserPrincipal() -- */ -- public Principal getUserPrincipal() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#isUserInRole(java.lang.String) -- */ -- public boolean isUserInRole( String role ) { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getAttribute(java.lang.String) -- */ -- public Object getAttribute( String name ) { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getAttributeNames() -- */ -- public Enumeration<String> getAttributeNames() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getParameter(java.lang.String) -- */ -- public String getParameter( String name ) { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getParameterNames() -- */ -- public Enumeration<String> getParameterNames() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getParameterValues(java.lang.String) -- */ -- public String[] getParameterValues( String name ) { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getParameterMap() -- */ -- public Map<String, String[]> getParameterMap() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#isSecure() -- */ -- public boolean isSecure() { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#setAttribute(java.lang.String, java.lang.Object) -- */ -- public void setAttribute( String name, Object o ) { -- // TODO Auto-generated method stub -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#removeAttribute(java.lang.String) -- */ -- public void removeAttribute( String name ) { -- // TODO Auto-generated method stub -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getRequestedSessionId() -- */ -- public String getRequestedSessionId() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#isRequestedSessionIdValid() -- */ -- public boolean isRequestedSessionIdValid() { -- // TODO Auto-generated method stub -- return false; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getResponseContentType() -- */ -- public String getResponseContentType() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getResponseContentTypes() -- */ -- public Enumeration<String> getResponseContentTypes() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getLocale() -- */ -- public Locale getLocale() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getScheme() -- */ -- public String getScheme() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getServerName() -- */ -- public String getServerName() { -- // TODO Auto-generated method stub -- return null; -- } -- -- /* -- * (non-Javadoc) -- * @see javax.portlet.PortletRequest#getServerPort() -- */ -- public int getServerPort() { -- // TODO Auto-generated method stub -- return 0; -- } -- -- public Enumeration<Locale> getLocales() { -- return null; -- } -- --} + import java.io.InputStream; + import java.io.UnsupportedEncodingException; + import java.security.Principal; ++import java.util.Collection; + import java.util.Enumeration; + import java.util.Locale; + import java.util.Map; + ++import javax.servlet.AsyncContext; ++import javax.servlet.DispatcherType; + import javax.servlet.RequestDispatcher; ++import javax.servlet.ServletContext; ++import javax.servlet.ServletException; + import javax.servlet.ServletInputStream; ++import javax.servlet.ServletRequest; ++import javax.servlet.ServletResponse; + import javax.servlet.http.Cookie; + import javax.servlet.http.HttpServletRequest; ++import javax.servlet.http.HttpServletResponse; + import javax.servlet.http.HttpSession; ++import javax.servlet.http.Part; + + /** + * @version $Id: MockHttpServletRequest.java 1565255 2014-02-06 13:49:17Z ggregory $ +@@ -485,6 +494,52 @@ + return null; + } + ++ public boolean authenticate(HttpServletResponse response) throws IOException, ServletException { ++ return false; ++ } ++ ++ public void login(String username, String password) throws ServletException { ++ } ++ ++ public void logout() throws ServletException { ++ } ++ ++ public Collection<Part> getParts() throws IOException, ServletException { ++ return null; ++ } ++ ++ public Part getPart(String name) throws IOException, ServletException { ++ return null; ++ } ++ ++ public ServletContext getServletContext() { ++ return null; ++ } ++ ++ public AsyncContext startAsync() throws IllegalStateException { ++ return null; ++ } ++ ++ public AsyncContext startAsync(ServletRequest servletRequest, ServletResponse servletResponse) throws IllegalStateException { ++ return null; ++ } ++ ++ public boolean isAsyncStarted() { ++ return false; ++ } ++ ++ public boolean isAsyncSupported() { ++ return false; ++ } ++ ++ public AsyncContext getAsyncContext() { ++ return null; ++ } ++ ++ public DispatcherType getDispatcherType() { ++ return null; ++ } ++ + private static class MyServletInputStream + extends javax.servlet.ServletInputStream { + Deleted: trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch =================================================================== --- trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch 2014-02-04 13:55:52 UTC (rev 17736) +++ trunk/libcommons-fileupload-java/debian/patches/002_CVE-2013-2186.patch 2014-02-07 12:40:48 UTC (rev 17737) @@ -1,37 +0,0 @@ -Description: fix arbitrary file overwrite via poison null byte -Origin: upstream, http://svn.apache.org/viewvc/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java?r1=1460343&r2=1507048 -Bug-Debian: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=726601 -Bug-Novell: https://bugzilla.novell.com/show_bug.cgi?id=846174 -Bug-RedHat: https://bugzilla.redhat.com/show_bug.cgi?id=974814 - -Index: libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java -=================================================================== ---- libcommons-fileupload-java-1.3.orig/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-03-24 08:36:44.000000000 -0400 -+++ libcommons-fileupload-java-1.3/src/main/java/org/apache/commons/fileupload/disk/DiskFileItem.java 2013-11-07 09:32:20.042865874 -0500 -@@ -656,6 +656,26 @@ - // read values - in.defaultReadObject(); - -+ /* One expected use of serialization is to migrate HTTP sessions -+ * containing a DiskFileItem between JVMs. Particularly if the JVMs are -+ * on different machines It is possible that the repository location is -+ * not valid so validate it. -+ */ -+ if (repository != null) { -+ if (repository.isDirectory()) { -+ // Check path for nulls -+ if (repository.getPath().contains("\0")) { -+ throw new IOException(format( -+ "The repository [%s] contains a null character", -+ repository.getPath())); -+ } -+ } else { -+ throw new IOException(format( -+ "The repository [%s] is not a directory", -+ repository.getAbsolutePath())); -+ } -+ } -+ - OutputStream output = getOutputStream(); - if (cachedContent != null) { - output.write(cachedContent); Modified: trunk/libcommons-fileupload-java/debian/patches/series =================================================================== --- trunk/libcommons-fileupload-java/debian/patches/series 2014-02-04 13:55:52 UTC (rev 17736) +++ trunk/libcommons-fileupload-java/debian/patches/series 2014-02-07 12:40:48 UTC (rev 17737) @@ -1,2 +1 @@ 001_update-tests-for-servlet3-api.patch -002_CVE-2013-2186.patch _______________________________________________ pkg-java-commits mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-java-commits
