Hi, Attached is a debdiff of the changes I made for 1.2.9-3.1 0-day NMU.
Cheers, Giuseppe
diff -u libstruts1.2-java-1.2.9/debian/changelog
libstruts1.2-java-1.2.9/debian/changelog
--- libstruts1.2-java-1.2.9/debian/changelog
+++ libstruts1.2-java-1.2.9/debian/changelog
@@ -1,3 +1,11 @@
+libstruts1.2-java (1.2.9-3.1) unstable; urgency=high
+
+ * Non-maintainer upload by the testing Security Team.
+ * Fixed CVE-2008-2025: Cross-site scripting (XSS) vulnerability.
+ (Closes: #528352)
+
+ -- Giuseppe Iuculano <iucul...@debian.org> Sun, 06 Dec 2009 14:13:59 +0100
+
libstruts1.2-java (1.2.9-3) unstable; urgency=low
* Build-Depends on java-gcj-compat-dev instead of java-gcj-compat.
only in patch2:
unchanged:
--- libstruts1.2-java-1.2.9.orig/debian/patches/02_CVE-2008-2025.patch
+++ libstruts1.2-java-1.2.9/debian/patches/02_CVE-2008-2025.patch
@@ -0,0 +1,328 @@
+diff --git a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+index 403ff97..386ccf3 100644
+--- a/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
++++ b/src/share/org/apache/struts/taglib/html/BaseHandlerTag.java
+@@ -35,6 +35,7 @@ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.taglib.logic.IterateTag;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Base class for tags that render form elements capable of including
JavaScript
+@@ -898,10 +899,12 @@ public abstract class BaseHandlerTag extends
BodyTagSupport {
+ */
+ protected void prepareAttribute(StringBuffer handlers, String name,
Object value) {
+ if (value != null) {
++ if (name.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in
attribute name");
+ handlers.append(" ");
+ handlers.append(name);
+ handlers.append("=\"");
+- handlers.append(value);
++ handlers.append(ResponseUtils.filterIfQuote(value.toString()));
+ handlers.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/FormTag.java
b/src/share/org/apache/struts/taglib/html/FormTag.java
+index e8eb9b4..ba2d782 100644
+--- a/src/share/org/apache/struts/taglib/html/FormTag.java
++++ b/src/share/org/apache/struts/taglib/html/FormTag.java
+@@ -37,6 +37,7 @@ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.util.RequestUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Custom tag that represents an input form, associated with a bean whose
+@@ -547,10 +548,10 @@ public class FormTag extends TagSupport {
+
+ results.append(" action=\"");
+ results.append(
+- response.encodeURL(
++ ResponseUtils.filterIfQuote(response.encodeURL(
+ TagUtils.getInstance().getActionMappingURL(
+ this.action,
+- this.pageContext)));
++ this.pageContext))));
+
+ results.append("\"");
+ }
+@@ -580,7 +581,7 @@ public class FormTag extends TagSupport {
+ results.append("<div><input type=\"hidden\" name=\"");
+ results.append(Constants.TOKEN_KEY);
+ results.append("\" value=\"");
+- results.append(token);
++ results.append(ResponseUtils.filterIfQuote(token));
+ if (this.isXhtml()) {
+ results.append("\" />");
+ } else {
+@@ -598,10 +599,12 @@ public class FormTag extends TagSupport {
+ */
+ protected void renderAttribute(StringBuffer results, String attribute,
String value) {
+ if (value != null) {
++ if (attribute.indexOf('"') >= 0)
++ throw new IllegalArgumentException("quote character in
attribute name");
+ results.append(" ");
+ results.append(attribute);
+ results.append("=\"");
+- results.append(value);
++ results.append(ResponseUtils.filterIfQuote(value));
+ results.append("\"");
+ }
+ }
+diff --git a/src/share/org/apache/struts/taglib/html/HtmlTag.java
b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+index fb64875..d4da38d 100644
+--- a/src/share/org/apache/struts/taglib/html/HtmlTag.java
++++ b/src/share/org/apache/struts/taglib/html/HtmlTag.java
+@@ -29,6 +29,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Renders an HTML <html> element with appropriate language attributes if
+@@ -151,20 +152,20 @@ public class HtmlTag extends TagSupport {
+
+ if ((this.lang || this.locale || this.xhtml) && validLanguage) {
+ sb.append(" lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+
+ if (this.xhtml && validLanguage) {
+ sb.append(" xml:lang=\"");
+- sb.append(language);
++ sb.append(ResponseUtils.filterIfQuote(language));
+ if (validCountry) {
+ sb.append("-");
+- sb.append(country);
++ sb.append(ResponseUtils.filterIfQuote(country));
+ }
+ sb.append("\"");
+ }
+diff --git
a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+index 77d7dba..5da8317 100644
+--- a/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
++++ b/src/share/org/apache/struts/taglib/html/JavascriptValidatorTag.java
+@@ -45,6 +45,7 @@ import org.apache.struts.Globals;
+ import org.apache.struts.action.ActionMapping;
+ import org.apache.struts.config.ModuleConfig;
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.util.MessageResources;
+ import org.apache.struts.validator.Resources;
+ import org.apache.struts.validator.ValidatorPlugIn;
+@@ -850,7 +851,7 @@ public class JavascriptValidatorTag extends BodyTagSupport
{
+ }
+
+ if (this.src != null) {
+- start.append(" src=\"" + src + "\"");
++ start.append(" src=\"" + ResponseUtils.filterIfQuote(src) + "\"");
+ }
+
+ start.append("> \n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionTag.java
b/src/share/org/apache/struts/taglib/html/OptionTag.java
+index 4df5c95..e9e4b2e 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionTag.java
+@@ -26,6 +26,7 @@ import javax.servlet.jsp.tagext.BodyTagSupport;
+ import org.apache.struts.Globals;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for select options. The body of this tag is presented to the user
+@@ -235,7 +236,7 @@ public class OptionTag extends BodyTagSupport {
+ protected String renderOptionElement() throws JspException {
+ StringBuffer results = new StringBuffer("<option value=\"");
+
+- results.append(this.value);
++ results.append(ResponseUtils.filterIfQuote(this.value));
+ results.append("\"");
+ if (disabled) {
+ results.append(" disabled=\"disabled\"");
+@@ -245,17 +246,17 @@ public class OptionTag extends BodyTagSupport {
+ }
+ if (style != null) {
+ results.append(" style=\"");
+- results.append(style);
++ results.append(ResponseUtils.filterIfQuote(style));
+ results.append("\"");
+ }
+ if (styleId != null) {
+ results.append(" id=\"");
+- results.append(styleId);
++ results.append(ResponseUtils.filterIfQuote(styleId));
+ results.append("\"");
+ }
+ if (styleClass != null) {
+ results.append(" class=\"");
+- results.append(styleClass);
++ results.append(ResponseUtils.filterIfQuote(styleClass));
+ results.append("\"");
+ }
+ results.append(">");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+index 9999259..e5ecb66 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsCollectionTag.java
+@@ -30,6 +30,7 @@ import javax.servlet.jsp.tagext.TagSupport;
+
+ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
++import org.apache.struts.util.ResponseUtils;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
+
+@@ -291,7 +292,7 @@ public class OptionsCollectionTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -299,12 +300,12 @@ public class OptionsCollectionTag extends TagSupport {
+ }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -313,7 +314,7 @@ public class OptionsCollectionTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/OptionsTag.java
b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+index 90d716a..dbc14cf 100644
+--- a/src/share/org/apache/struts/taglib/html/OptionsTag.java
++++ b/src/share/org/apache/struts/taglib/html/OptionsTag.java
+@@ -32,6 +32,7 @@ import org.apache.commons.beanutils.PropertyUtils;
+ import org.apache.struts.util.IteratorAdapter;
+ import org.apache.struts.taglib.TagUtils;
+ import org.apache.struts.util.MessageResources;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Tag for creating multiple <select> options from a collection. The
+@@ -313,7 +314,7 @@ public class OptionsTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(value));
+ } else {
+- sb.append(value);
++ sb.append(ResponseUtils.filterIfQuote(value));
+ }
+ sb.append("\"");
+ if (matched) {
+@@ -321,12 +322,12 @@ public class OptionsTag extends TagSupport {
+ }
+ if (style != null) {
+ sb.append(" style=\"");
+- sb.append(style);
++ sb.append(ResponseUtils.filterIfQuote(style));
+ sb.append("\"");
+ }
+ if (styleClass != null) {
+ sb.append(" class=\"");
+- sb.append(styleClass);
++ sb.append(ResponseUtils.filterIfQuote(styleClass));
+ sb.append("\"");
+ }
+
+@@ -335,7 +336,7 @@ public class OptionsTag extends TagSupport {
+ if (filter) {
+ sb.append(TagUtils.getInstance().filter(label));
+ } else {
+- sb.append(label);
++ sb.append(ResponseUtils.filterIfQuote(label));
+ }
+
+ sb.append("</option>\r\n");
+diff --git a/src/share/org/apache/struts/taglib/html/RewriteTag.java
b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+index 804e50c..63a2f03 100644
+--- a/src/share/org/apache/struts/taglib/html/RewriteTag.java
++++ b/src/share/org/apache/struts/taglib/html/RewriteTag.java
+@@ -24,6 +24,7 @@ import java.util.Map;
+ import javax.servlet.jsp.JspException;
+
+ import org.apache.struts.taglib.TagUtils;
++import org.apache.struts.util.ResponseUtils;
+
+ /**
+ * Generate a URL-encoded URI as a string.
+@@ -72,7 +73,8 @@ public class RewriteTag extends LinkTag {
+ (messages.getMessage("rewrite.url", e.toString()));
+ }
+
+- TagUtils.getInstance().write(pageContext, url);
++ TagUtils.getInstance().write(pageContext,
++ ResponseUtils.filterIfQuote(url));
+
+ return (SKIP_BODY);
+
+diff --git a/src/share/org/apache/struts/util/ResponseUtils.java
b/src/share/org/apache/struts/util/ResponseUtils.java
+index 4588bb2..fe7e517 100644
+--- a/src/share/org/apache/struts/util/ResponseUtils.java
++++ b/src/share/org/apache/struts/util/ResponseUtils.java
+@@ -137,6 +137,37 @@ public class ResponseUtils {
+ }
+
+
++ /**
++ * Replace double-quote characters in the input string with
++ * proper HTML encoding.
++ *
++ * No other HTML-encoding is performed. As a result, the return value
++ * can only be safely used in (X)HTML attributes surrounded by
++ * double-quote characters (<code>"</code>).
++ *
++ * <p>Note that you should not use this function in new code.
++ * It is only intended for old code which needs to be
++ * backwards-compatible with incompletely-quoted attributes.
++ *
++ * @return a fresh string object if quoting is needed,
++ * otherwise the input string
++ */
++ public static String filterIfQuote(String value) {
++ if (value == null)
++ return null;
++ if (value.indexOf('"') >= 0) {
++ StringBuffer sb = new StringBuffer(value.length() + 2);
++ for (int i = 0; i < value.length(); ++i) {
++ final char ch = value.charAt(i);
++ if (ch == '"')
++ sb.append(""");
++ else
++ sb.append(ch);
++ }
++ return sb.toString();
++ }
++ return value;
++ }
+
+
+ /**
signature.asc
Description: OpenPGP digital signature
