1 |
a3li 09/08/24 08:12:13 |
2 |
|
3 |
Added: struts-CVE-2008-2025.patch |
4 |
Log: |
5 |
Non-maintainer commit: Revbump to fix security bug 267081 (CVE-2008-2025). |
6 |
(Portage version: 2.2_rc33/cvs/Linux x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 dev-java/struts/files/struts-CVE-2008-2025.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-java/struts/files/struts-CVE-2008-2025.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/dev-java/struts/files/struts-CVE-2008-2025.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: struts-CVE-2008-2025.patch |
15 |
=================================================================== |
16 |
diff --git a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java |
17 |
index 403ff97..386ccf3 100644 |
18 |
--- a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java |
19 |
+++ b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java |
20 |
@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils; |
21 |
import org.apache.struts.taglib.logic.IterateTag; |
22 |
import org.apache.struts.util.MessageResources; |
23 |
import org.apache.struts.util.RequestUtils; |
24 |
+import org.apache.struts.util.ResponseUtils; |
25 |
|
26 |
/** |
27 |
* Base class for tags that render form elements capable of including JavaScript |
28 |
@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends BodyTagSupport { |
29 |
*/ |
30 |
protected void prepareAttribute(StringBuffer handlers, String name, Object value) { |
31 |
if (value != null) { |
32 |
+ if (name.indexOf('"') >= 0) |
33 |
+ throw new IllegalArgumentException("quote character in attribute name"); |
34 |
handlers.append(" "); |
35 |
handlers.append(name); |
36 |
handlers.append("=\""); |
37 |
- handlers.append(value); |
38 |
+ handlers.append(ResponseUtils.filterIfQuote(value.toString())); |
39 |
handlers.append("\""); |
40 |
} |
41 |
} |
42 |
diff --git a/src/share/org/apache/struts/taglib/html/FormTag.java b/src/share/org/apache/struts/taglib/html/FormTag.java |
43 |
index e8eb9b4..ba2d782 100644 |
44 |
--- a/src/share/org/apache/struts/taglib/html/FormTag.java |
45 |
+++ b/src/share/org/apache/struts/taglib/html/FormTag.java |
46 |
@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig; |
47 |
import org.apache.struts.taglib.TagUtils; |
48 |
import org.apache.struts.util.MessageResources; |
49 |
import org.apache.struts.util.RequestUtils; |
50 |
+import org.apache.struts.util.ResponseUtils; |
51 |
|
52 |
/** |
53 |
* Custom tag that represents an input form, associated with a bean whose |
54 |
@@ -547,10 +548,10 @@ public class FormTag extends TagSupport { |
55 |
|
56 |
results.append(" action=\""); |
57 |
results.append( |
58 |
- response.encodeURL( |
59 |
+ ResponseUtils.filterIfQuote(response.encodeURL( |
60 |
TagUtils.getInstance().getActionMappingURL( |
61 |
this.action, |
62 |
- this.pageContext))); |
63 |
+ this.pageContext)))); |
64 |
|
65 |
results.append("\""); |
66 |
} |
67 |
@@ -580,7 +581,7 @@ public class FormTag extends TagSupport { |
68 |
results.append("<div><input type=\"hidden\" name=\""); |
69 |
results.append(Constants.TOKEN_KEY); |
70 |
results.append("\" value=\""); |
71 |
- results.append(token); |
72 |
+ results.append(ResponseUtils.filterIfQuote(token)); |
73 |
if (this.isXhtml()) { |
74 |
results.append("\" />"); |
75 |
} else { |
76 |
@@ -598,10 +599,12 @@ public class FormTag extends TagSupport { |
77 |
*/ |
78 |
protected void renderAttribute(StringBuffer results, String attribute, String value) { |
79 |
if (value != null) { |
80 |
+ if (attribute.indexOf('"') >= 0) |
81 |
+ throw new IllegalArgumentException("quote character in attribute name"); |
82 |
results.append(" "); |
83 |
results.append(attribute); |
84 |
results.append("=\""); |
85 |
- results.append(value); |
86 |
+ results.append(ResponseUtils.filterIfQuote(value)); |
87 |
results.append("\""); |
88 |
} |
89 |
} |
90 |
diff --git a/src/share/org/apache/struts/taglib/html/HtmlTag.java b/src/share/org/apache/struts/taglib/html/HtmlTag.java |
91 |
index fb64875..d4da38d 100644 |
92 |
--- a/src/share/org/apache/struts/taglib/html/HtmlTag.java |
93 |
+++ b/src/share/org/apache/struts/taglib/html/HtmlTag.java |
94 |
@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSupport; |
95 |
import org.apache.struts.Globals; |
96 |
import org.apache.struts.taglib.TagUtils; |
97 |
import org.apache.struts.util.MessageResources; |
98 |
+import org.apache.struts.util.ResponseUtils; |
99 |
|
100 |
/** |
101 |
* Renders an HTML <html> element with appropriate language attributes if |
102 |
@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport { |
103 |
|
104 |
if ((this.lang || this.locale || this.xhtml) && validLanguage) { |
105 |
sb.append(" lang=\""); |
106 |
- sb.append(language); |
107 |
+ sb.append(ResponseUtils.filterIfQuote(language)); |
108 |
if (validCountry) { |
109 |
sb.append("-"); |
110 |
- sb.append(country); |
111 |
+ sb.append(ResponseUtils.filterIfQuote(country)); |
112 |
} |
113 |
sb.append("\""); |
114 |
} |
115 |
|
116 |
if (this.xhtml && validLanguage) { |
117 |
sb.append(" xml:lang=\""); |
118 |
- sb.append(language); |
119 |
+ sb.append(ResponseUtils.filterIfQuote(language)); |
120 |
if (validCountry) { |
121 |
sb.append("-"); |
122 |
- sb.append(country); |
123 |
+ sb.append(ResponseUtils.filterIfQuote(country)); |
124 |
} |
125 |
sb.append("\""); |
126 |
} |
127 |
diff --git a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java |
128 |
index 77d7dba..5da8317 100644 |
129 |
--- a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java |
130 |
+++ b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java |
131 |
@@ -45,6 +45,7 @@ import org.apache.struts.Globals; |
132 |
import org.apache.struts.action.ActionMapping; |
133 |
import org.apache.struts.config.ModuleConfig; |
134 |
import org.apache.struts.taglib.TagUtils; |
135 |
+import org.apache.struts.util.ResponseUtils; |
136 |
import org.apache.struts.util.MessageResources; |
137 |
import org.apache.struts.validator.Resources; |
138 |
import org.apache.struts.validator.ValidatorPlugIn; |
139 |
@@ -850,7 +851,7 @@ public class JavascriptValidatorTag extends BodyTagSupport { |
140 |
} |
141 |
|
142 |
if (this.src != null) { |
143 |
- start.append(" src=\"" + src + "\""); |
144 |
+ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\""); |
145 |
} |
146 |
|
147 |
start.append("> \n"); |
148 |
diff --git a/src/share/org/apache/struts/taglib/html/OptionTag.java b/src/share/org/apache/struts/taglib/html/OptionTag.java |
149 |
index 4df5c95..e9e4b2e 100644 |
150 |
--- a/src/share/org/apache/struts/taglib/html/OptionTag.java |
151 |
+++ b/src/share/org/apache/struts/taglib/html/OptionTag.java |
152 |
@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagSupport; |
153 |
import org.apache.struts.Globals; |
154 |
import org.apache.struts.taglib.TagUtils; |
155 |
import org.apache.struts.util.MessageResources; |
156 |
+import org.apache.struts.util.ResponseUtils; |
157 |
|
158 |
/** |
159 |
* Tag for select options. The body of this tag is presented to the user |
160 |
@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSupport { |
161 |
protected String renderOptionElement() throws JspException { |
162 |
StringBuffer results = new StringBuffer("<option value=\""); |
163 |
|
164 |
- results.append(this.value); |
165 |
+ results.append(ResponseUtils.filterIfQuote(this.value)); |
166 |
results.append("\""); |
167 |
if (disabled) { |
168 |
results.append(" disabled=\"disabled\""); |
169 |
@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSupport { |
170 |
} |
171 |
if (style != null) { |
172 |
results.append(" style=\""); |
173 |
- results.append(style); |
174 |
+ results.append(ResponseUtils.filterIfQuote(style)); |
175 |
results.append("\""); |
176 |
} |
177 |
if (styleId != null) { |
178 |
results.append(" id=\""); |
179 |
- results.append(styleId); |
180 |
+ results.append(ResponseUtils.filterIfQuote(styleId)); |
181 |
results.append("\""); |
182 |
} |
183 |
if (styleClass != null) { |
184 |
results.append(" class=\""); |
185 |
- results.append(styleClass); |
186 |
+ results.append(ResponseUtils.filterIfQuote(styleClass)); |
187 |
results.append("\""); |
188 |
} |
189 |
results.append(">"); |
190 |
diff --git a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java |
191 |
index 9999259..e5ecb66 100644 |
192 |
--- a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java |
193 |
+++ b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java |
194 |
@@ -30,6 +30,7 @@ import javax.servlet.jsp.tagext.TagSupport; |
195 |
|
196 |
import org.apache.commons.beanutils.PropertyUtils; |
197 |
import org.apache.struts.util.IteratorAdapter; |
198 |
+import org.apache.struts.util.ResponseUtils; |
199 |
import org.apache.struts.taglib.TagUtils; |
200 |
import org.apache.struts.util.MessageResources; |
201 |
|
202 |
@@ -291,7 +292,7 @@ public class OptionsCollectionTag extends TagSupport { |
203 |
if (filter) { |
204 |
sb.append(TagUtils.getInstance().filter(value)); |
205 |
} else { |
206 |
- sb.append(value); |
207 |
+ sb.append(ResponseUtils.filterIfQuote(value)); |
208 |
} |
209 |
sb.append("\""); |
210 |
if (matched) { |
211 |
@@ -299,12 +300,12 @@ public class OptionsCollectionTag extends TagSupport { |
212 |
} |
213 |
if (style != null) { |
214 |
sb.append(" style=\""); |
215 |
- sb.append(style); |
216 |
+ sb.append(ResponseUtils.filterIfQuote(style)); |
217 |
sb.append("\""); |
218 |
} |
219 |
if (styleClass != null) { |
220 |
sb.append(" class=\""); |
221 |
- sb.append(styleClass); |
222 |
+ sb.append(ResponseUtils.filterIfQuote(styleClass)); |
223 |
sb.append("\""); |
224 |
} |
225 |
|
226 |
@@ -313,7 +314,7 @@ public class OptionsCollectionTag extends TagSupport { |
227 |
if (filter) { |
228 |
sb.append(TagUtils.getInstance().filter(label)); |
229 |
} else { |
230 |
- sb.append(label); |
231 |
+ sb.append(ResponseUtils.filterIfQuote(label)); |
232 |
} |
233 |
|
234 |
sb.append("</option>\r\n"); |
235 |
diff --git a/src/share/org/apache/struts/taglib/html/OptionsTag.java b/src/share/org/apache/struts/taglib/html/OptionsTag.java |
236 |
index 90d716a..dbc14cf 100644 |
237 |
--- a/src/share/org/apache/struts/taglib/html/OptionsTag.java |
238 |
+++ b/src/share/org/apache/struts/taglib/html/OptionsTag.java |
239 |
@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.PropertyUtils; |
240 |
import org.apache.struts.util.IteratorAdapter; |
241 |
import org.apache.struts.taglib.TagUtils; |
242 |
import org.apache.struts.util.MessageResources; |
243 |
+import org.apache.struts.util.ResponseUtils; |
244 |
|
245 |
/** |
246 |
* Tag for creating multiple <select> options from a collection. The |
247 |
@@ -313,7 +314,7 @@ public class OptionsTag extends TagSupport { |
248 |
if (filter) { |
249 |
sb.append(TagUtils.getInstance().filter(value)); |
250 |
} else { |
251 |
- sb.append(value); |
252 |
+ sb.append(ResponseUtils.filterIfQuote(value)); |
253 |
} |
254 |
sb.append("\""); |
255 |
if (matched) { |
256 |
@@ -321,12 +322,12 @@ public class OptionsTag extends TagSupport { |
257 |
} |
258 |
if (style != null) { |
259 |
sb.append(" style=\""); |
260 |
- sb.append(style); |
261 |
+ sb.append(ResponseUtils.filterIfQuote(style)); |
262 |
sb.append("\""); |
263 |
} |
264 |
if (styleClass != null) { |
265 |
sb.append(" class=\""); |
266 |
- sb.append(styleClass); |
267 |
+ sb.append(ResponseUtils.filterIfQuote(styleClass)); |
268 |
sb.append("\""); |
269 |
} |
270 |
|
271 |
@@ -335,7 +336,7 @@ public class OptionsTag extends TagSupport { |
272 |
if (filter) { |
273 |
sb.append(TagUtils.getInstance().filter(label)); |
274 |
} else { |
275 |
- sb.append(label); |
276 |
+ sb.append(ResponseUtils.filterIfQuote(label)); |
277 |
} |
278 |
|
279 |
sb.append("</option>\r\n"); |
280 |
diff --git a/src/share/org/apache/struts/taglib/html/RewriteTag.java b/src/share/org/apache/struts/taglib/html/RewriteTag.java |
281 |
index 804e50c..63a2f03 100644 |
282 |
--- a/src/share/org/apache/struts/taglib/html/RewriteTag.java |
283 |
+++ b/src/share/org/apache/struts/taglib/html/RewriteTag.java |
284 |
@@ -24,6 +24,7 @@ import java.util.Map; |
285 |
import javax.servlet.jsp.JspException; |
286 |
|
287 |
import org.apache.struts.taglib.TagUtils; |
288 |
+import org.apache.struts.util.ResponseUtils; |
289 |
|
290 |
/** |
291 |
* Generate a URL-encoded URI as a string. |
292 |
@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag { |
293 |
(messages.getMessage("rewrite.url", e.toString())); |
294 |
} |
295 |
|
296 |
- TagUtils.getInstance().write(pageContext, url); |
297 |
+ TagUtils.getInstance().write(pageContext, |
298 |
+ ResponseUtils.filterIfQuote(url)); |
299 |
|
300 |
return (SKIP_BODY); |
301 |
|
302 |
diff --git a/src/share/org/apache/struts/util/ResponseUtils.java b/src/share/org/apache/struts/util/ResponseUtils.java |
303 |
index 4588bb2..fe7e517 100644 |
304 |
--- a/src/share/org/apache/struts/util/ResponseUtils.java |
305 |
+++ b/src/share/org/apache/struts/util/ResponseUtils.java |
306 |
@@ -137,6 +137,37 @@ public class ResponseUtils { |
307 |
} |
308 |
|
309 |
|
310 |
+ /** |
311 |
+ * Replace double-quote characters in the input string with |
312 |
+ * proper HTML encoding. |
313 |
+ * |
314 |
+ * No other HTML-encoding is performed. As a result, the return value |
315 |
+ * can only be safely used in (X)HTML attributes surrounded by |
316 |
+ * double-quote characters (<code>"</code>). |
317 |
+ * |
318 |
+ * <p>Note that you should not use this function in new code. |
319 |
+ * It is only intended for old code which needs to be |
320 |
+ * backwards-compatible with incompletely-quoted attributes. |
321 |
+ * |
322 |
+ * @return a fresh string object if quoting is needed, |
323 |
+ * otherwise the input string |
324 |
+ */ |
325 |
+ public static String filterIfQuote(String value) { |
326 |
+ if (value == null) |
327 |
+ return null; |
328 |
+ if (value.indexOf('"') >= 0) { |
329 |
+ StringBuffer sb = new StringBuffer(value.length() + 2); |
330 |
+ for (int i = 0; i < value.length(); ++i) { |
331 |
+ final char ch = value.charAt(i); |
332 |
+ if (ch == '"') |
333 |
+ sb.append("""); |
334 |
+ else |
335 |
+ sb.append(ch); |
336 |
+ } |
337 |
+ return sb.toString(); |
338 |
+ } |
339 |
+ return value; |
340 |
+ } |
341 |
|
342 |
|
343 |
/** |