rpms/jetty/devel jetty-cookiedump.patch, NONE, 1.1 jetty-log.patch, NONE, 1.1 jetty.spec, 1.22, 1.23
Jeff Johnston
jjohnstn at fedoraproject.org
Tue Nov 3 20:12:05 UTC 2009
Author: jjohnstn
Update of /cvs/pkgs/rpms/jetty/devel
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv28327
Modified Files:
jetty.spec
Added Files:
jetty-cookiedump.patch jetty-log.patch
Log Message:
* Tue Nov 03 2009 Jeff Johnston <jjohnstn at redhat.com> 6.1.21-3
- Security issues
- Resolves #532675, #5326565
jetty-cookiedump.patch:
CookieDump.java | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE jetty-cookiedump.patch ---
diff -up ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix ./examples/test-webapp/src/main/java/com/acme/CookieDump.java
--- ./examples/test-webapp/src/main/java/com/acme/CookieDump.java.fix 2009-11-03 12:32:01.000000000 -0500
+++ ./examples/test-webapp/src/main/java/com/acme/CookieDump.java 2009-11-03 12:33:52.000000000 -0500
@@ -26,6 +26,8 @@ import javax.servlet.http.HttpServletReq
import javax.servlet.http.HttpServletResponse;
import javax.servlet.http.HttpSession;
+import org.mortbay.util.StringUtil;
+
/* ------------------------------------------------------------ */
/** Test Servlet Cookies.
@@ -89,7 +91,7 @@ public class CookieDump extends HttpServ
for (int i=0;cookies!=null && i<cookies.length;i++)
{
- out.println("<b>"+cookies[i].getName()+"</b>="+cookies[i].getValue()+"<br/>");
+ out.println("<b>"+deScript(cookies[i].getName())+"</b>="+deScript(cookies[i].getValue())+"<br/>");
}
out.println("<form action=\""+response.encodeURL(getURI(request))+"\" method=\"post\">");
@@ -114,5 +116,15 @@ public class CookieDump extends HttpServ
uri=request.getRequestURI();
return uri;
}
-
+
+ /* ------------------------------------------------------------ */
+ protected String deScript(String string)
+ {
+ if (string==null)
+ return null;
+ string=StringUtil.replace(string, "&", "&");
+ string=StringUtil.replace(string, "<", "<");
+ string=StringUtil.replace(string, ">", ">");
+ return string;
+ }
}
jetty-log.patch:
jetty/src/main/java/org/mortbay/jetty/HttpParser.java | 10
jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java | 42 ++
util/src/main/java/org/mortbay/log/StdErrLog.java | 151 ++++++++--
3 files changed, 166 insertions(+), 37 deletions(-)
--- NEW FILE jetty-log.patch ---
diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java
--- ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java.fix2 2009-11-03 12:45:36.000000000 -0500
+++ ./modules/jetty/src/main/java/org/mortbay/jetty/handler/ErrorHandler.java 2009-11-03 12:47:35.000000000 -0500
@@ -91,8 +91,7 @@ public class ErrorHandler extends Abstra
writer.write("<title>Error ");
writer.write(Integer.toString(code));
writer.write(' ');
- if (message!=null)
- writer.write(deScript(message));
+ write(writer,message);
writer.write("</title>\n");
}
@@ -117,9 +116,9 @@ public class ErrorHandler extends Abstra
writer.write("<h2>HTTP ERROR ");
writer.write(Integer.toString(code));
writer.write("</h2>\n<p>Problem accessing ");
- writer.write(deScript(uri));
+ write(writer,uri);
writer.write(". Reason:\n<pre> ");
- writer.write(deScript(message));
+ write(writer,message);
writer.write("</pre></p>");
}
@@ -135,7 +134,7 @@ public class ErrorHandler extends Abstra
PrintWriter pw = new PrintWriter(sw);
th.printStackTrace(pw);
pw.flush();
- writer.write(deScript(sw.getBuffer().toString()));
+ write(writer,sw.getBuffer().toString());
writer.write("</pre>\n");
th =th.getCause();
@@ -162,13 +161,34 @@ public class ErrorHandler extends Abstra
}
/* ------------------------------------------------------------ */
- protected String deScript(String string)
+ protected void write(Writer writer,String string)
+ throws IOException
{
if (string==null)
- return null;
- string=StringUtil.replace(string, "&", "&");
- string=StringUtil.replace(string, "<", "<");
- string=StringUtil.replace(string, ">", ">");
- return string;
+ return;
+
+ for (int i=0;i<string.length();i++)
+ {
+ char c=string.charAt(i);
+
+ switch(c)
+ {
+ case '&' :
+ writer.write("&");
+ break;
+ case '<' :
+ writer.write("<");
+ break;
+ case '>' :
+ writer.write(">");
+ break;
+
+ default:
+ if (Character.isISOControl(c) && !Character.isWhitespace(c))
+ writer.write('?');
+ else
+ writer.write(c);
+ }
+ }
}
}
diff -up ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2 ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java
--- ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java.fix2 2009-11-03 12:46:07.000000000 -0500
+++ ./modules/jetty/src/main/java/org/mortbay/jetty/HttpParser.java 2009-11-03 12:47:35.000000000 -0500
@@ -465,7 +465,15 @@ public class HttpParser implements Parse
case HttpHeaders.CONTENT_LENGTH_ORDINAL:
if (_contentLength != HttpTokens.CHUNKED_CONTENT)
{
- _contentLength=BufferUtil.toLong(value);
+ try
+ {
+ _contentLength=BufferUtil.toLong(value);
+ }
+ catch(NumberFormatException e)
+ {
+ Log.ignore(e);
+ throw new HttpException(HttpServletResponse.SC_BAD_REQUEST);
+ }
if (_contentLength <= 0)
_contentLength=HttpTokens.NO_CONTENT;
}
diff -up ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2 ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java
--- ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java.fix2 2009-11-03 12:47:02.000000000 -0500
+++ ./modules/util/src/main/java/org/mortbay/log/StdErrLog.java 2009-11-03 12:48:00.000000000 -0500
@@ -26,8 +26,10 @@ import org.mortbay.util.DateCache;
public class StdErrLog implements Logger
{
private static DateCache _dateCache;
- private static boolean debug = System.getProperty("DEBUG",null)!=null;
- private String name;
+ private static boolean __debug = System.getProperty("DEBUG",null)!=null;
+ private String _name;
+
+ StringBuffer _buffer = new StringBuffer();
static
{
@@ -49,44 +51,59 @@ public class StdErrLog implements Logger
public StdErrLog(String name)
{
- this.name=name==null?"":name;
+ this._name=name==null?"":name;
}
public boolean isDebugEnabled()
{
- return debug;
+ return __debug;
}
public void setDebugEnabled(boolean enabled)
{
- debug=enabled;
+ __debug=enabled;
}
public void info(String msg,Object arg0, Object arg1)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":INFO: "+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":INFO:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
public void debug(String msg,Throwable th)
{
- if (debug)
+ if (__debug)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+msg);
- if (th!=null) th.printStackTrace();
+ synchronized(_buffer)
+ {
+ tag(d,ms,":DBUG:");
+ format(msg);
+ format(th);
+ System.err.println(_buffer.toString());
+ }
}
}
public void debug(String msg,Object arg0, Object arg1)
{
- if (debug)
+ if (__debug)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":DEBUG: "+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":DBUG:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
}
@@ -94,42 +111,126 @@ public class StdErrLog implements Logger
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN: "+format(msg,arg0,arg1));
+ synchronized(_buffer)
+ {
+ tag(d,ms,":WARN:");
+ format(msg,arg0,arg1);
+ System.err.println(_buffer.toString());
+ }
}
public void warn(String msg, Throwable th)
{
String d=_dateCache.now();
int ms=_dateCache.lastMs();
- System.err.println(d+(ms>99?".":(ms>9?".0":".00"))+ms+":"+name+":WARN: "+msg);
- if (th!=null)
- th.printStackTrace();
+ synchronized(_buffer)
+ {
+ tag(d,ms,":WARN:");
+ format(msg);
+ format(th);
+ System.err.println(_buffer.toString());
+ }
}
-
- private String format(String msg, Object arg0, Object arg1)
+
+ private void tag(String d,int ms,String tag)
+ {
+ _buffer.setLength(0);
+ _buffer.append(d);
+ if (ms>99)
+ _buffer.append('.');
+ else if (ms>9)
+ _buffer.append(".0");
+ else
+ _buffer.append(".00");
+ _buffer.append(ms).append(tag).append(_name).append(':');
+ }
+
+ private void format(String msg, Object arg0, Object arg1)
{
int i0=msg.indexOf("{}");
int i1=i0<0?-1:msg.indexOf("{}",i0+2);
- if (arg1!=null && i1>=0)
- msg=msg.substring(0,i1)+arg1+msg.substring(i1+2);
- if (arg0!=null && i0>=0)
- msg=msg.substring(0,i0)+arg0+msg.substring(i0+2);
- return msg;
+ if (i0>=0)
+ {
+ format(msg.substring(0,i0));
+ format(String.valueOf(arg0));
+
+ if (i1>=0)
+ {
+ format(msg.substring(i0+2,i1));
+ format(String.valueOf(arg1));
+ format(msg.substring(i1+2));
+ }
+ else
+ {
+ format(msg.substring(i0+2));
+ if (arg1!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg1));
+ }
+ }
+ }
+ else
+ {
+ format(msg);
+ if (arg0!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg0));
+ }
+ if (arg1!=null)
+ {
+ _buffer.append(' ');
+ format(String.valueOf(arg1));
+ }
+ }
+ }
+
+ private void format(String msg)
+ {
+ for (int i=0;i<msg.length();i++)
+ {
+ char c=msg.charAt(i);
+ if (Character.isISOControl(c))
+ {
+ if (c=='\n')
+ _buffer.append('|');
+ else if (c=='\r')
+ _buffer.append('<');
+ else
+ _buffer.append('?');
+ }
+ else
+ _buffer.append(c);
+ }
+ }
+
+ private void format(Throwable th)
+ {
+ _buffer.append('\n');
+ format(th.toString());
+ StackTraceElement[] elements = th.getStackTrace();
+ for (int i=0;elements!=null && i<elements.length;i++)
+ {
+ _buffer.append("\n\tat ");
+ format(elements[i].toString());
+ }
}
public Logger getLogger(String name)
{
- if ((name==null && this.name==null) ||
- (name!=null && name.equals(this.name)))
+ if ((name==null && this._name==null) ||
+ (name!=null && name.equals(this._name)))
return this;
return new StdErrLog(name);
}
public String toString()
{
- return "STDERR"+name;
+ return "STDERR"+_name;
}
+
}
Index: jetty.spec
===================================================================
RCS file: /cvs/pkgs/rpms/jetty/devel/jetty.spec,v
retrieving revision 1.22
retrieving revision 1.23
diff -u -p -r1.22 -r1.23
--- jetty.spec 29 Sep 2009 12:43:56 -0000 1.22
+++ jetty.spec 3 Nov 2009 20:12:04 -0000 1.23
@@ -42,7 +42,7 @@
Name: jetty
Version: 6.1.21
-Release: 2%{?dist}
+Release: 3%{?dist}
Summary: The Jetty Webserver and Servlet Container
Group: Applications/Internet
@@ -55,6 +55,10 @@ Source3: jetty.logrotate
Source4: %{name}-depmap.xml
Source7: %{name}-settings.xml
Patch0: disable-modules.patch
+# Fix issues with CookieDump example
+Patch1: jetty-cookiedump.patch
+# Fix issues with error logging
+Patch2: jetty-log.patch
Patch5: jetty-unix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -142,6 +146,8 @@ for f in $(find . -name "*.?ar"); do rm
find . -name "*.class" -exec rm {} \;
%patch0 -b .sav
+%patch1 -b .sav
+%patch2 -b .sav
#%patch5
cp %{SOURCE7} settings.xml
@@ -366,6 +372,10 @@ fi
%doc %{_docdir}/%{name}-%{version}
%changelog
+* Tue Nov 03 2009 Jeff Johnston <jjohnstn at redhat.com> 6.1.21-3
+- Security issues
+- Resolves #532675, #5326565
+
* Tue Sep 29 2009 Alexander Kurtakov <akurtako at redhat.com> 6.1.21-2
- Install unversioned jars.
More information about the scm-commits
mailing list